Filtered by vendor Mattermost
Subscriptions
Total
454 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-44001 | 1 Mattermost | 2 Confluence, Mattermost | 2025-09-25 | 4 Medium |
| Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint. | ||||
| CVE-2025-49221 | 1 Mattermost | 2 Confluence, Mattermost | 2025-09-24 | 3.7 Low |
| Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via API call to GET subscription endpoint. | ||||
| CVE-2024-11358 | 2 Google, Mattermost | 3 Android, Mattermost, Mattermost Mobile | 2025-09-24 | 5.7 Medium |
| Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider. | ||||
| CVE-2025-0476 | 1 Mattermost | 1 Mattermost Mobile | 2025-09-24 | 4.3 Medium |
| Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment | ||||
| CVE-2025-20072 | 1 Mattermost | 2 Mattermost, Mattermost Mobile | 2025-09-24 | 6.5 Medium |
| Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input. | ||||
| CVE-2025-20630 | 1 Mattermost | 1 Mattermost Mobile | 2025-09-24 | 6.5 Medium |
| Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel. | ||||
| CVE-2025-30516 | 1 Mattermost | 1 Mattermost Mobile | 2025-09-24 | 2 Low |
| Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications | ||||
| CVE-2025-54463 | 1 Mattermost | 2 Confluence, Mattermost | 2025-09-24 | 5.9 Medium |
| Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body. | ||||
| CVE-2025-54478 | 1 Mattermost | 2 Confluence, Mattermost | 2025-09-24 | 7.2 High |
| Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint. | ||||
| CVE-2025-54525 | 1 Mattermost | 2 Confluence, Mattermost | 2025-09-24 | 7.5 High |
| Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to create channel subscription endpoint with an invalid request body. | ||||
| CVE-2025-8285 | 1 Mattermost | 2 Confluence, Mattermost | 2025-09-24 | 4 Medium |
| Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create channel subscription without proper access to the channel via API call to the create channel subscription endpoint. | ||||
| CVE-2025-9076 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-20 | 6.5 Medium |
| Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled. | ||||
| CVE-2025-9072 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-17 | 7.6 High |
| Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL. | ||||
| CVE-2025-9084 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-17 | 3.1 Low |
| Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs | ||||
| CVE-2025-9078 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-17 | 4.3 Medium |
| Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing | ||||
| CVE-2025-8023 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-08-25 | 6.8 Medium |
| Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories. | ||||
| CVE-2025-2527 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-08-22 | 4.3 Medium |
| Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request. | ||||
| CVE-2025-53971 | 1 Mattermost | 1 Mattermost | 2025-08-22 | 3.8 Low |
| Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint. | ||||
| CVE-2025-47870 | 1 Mattermost | 1 Mattermost | 2025-08-22 | 4.3 Medium |
| Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id. | ||||
| CVE-2025-47700 | 1 Mattermost | 2 Mattermost, Server | 2025-08-22 | 3.5 Low |
| Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions | ||||