Filtered by vendor Mattermost
Subscriptions
Filtered by product Mattermost
Subscriptions
Total
166 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1472 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 4.3 Medium |
| Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics. | ||||
| CVE-2025-20033 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 4.3 Medium |
| Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props. | ||||
| CVE-2025-20621 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 6.5 Medium |
| Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel. | ||||
| CVE-2025-21088 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 6.5 Medium |
| Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input. | ||||
| CVE-2025-24526 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 4.3 Medium |
| Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it | ||||
| CVE-2025-24839 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 3.1 Low |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled. | ||||
| CVE-2025-24866 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 2.7 Low |
| Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs. | ||||
| CVE-2025-27571 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 4.3 Medium |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived. | ||||
| CVE-2025-2475 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 5.4 Medium |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials. | ||||
| CVE-2025-2564 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 4.3 Medium |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled. | ||||
| CVE-2025-2570 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 2.7 Low |
| Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console. | ||||
| CVE-2025-35965 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 6.5 Medium |
| Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition. | ||||
| CVE-2024-50052 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.3 Medium |
| Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post. | ||||
| CVE-2024-12247 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.6 Medium |
| Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated. | ||||
| CVE-2024-34152 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.3 Medium |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper access control which allows a guest to get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRuns GraphQL query request to the server | ||||
| CVE-2025-32093 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.7 Medium |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation. | ||||
| CVE-2024-10241 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.3 Medium |
| Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K. | ||||
| CVE-2024-9155 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.3 Medium |
| Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of. | ||||
| CVE-2025-0503 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 3.1 Low |
| Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database. | ||||
| CVE-2025-1412 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 3.1 Low |
| Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. | ||||