| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2024-8071 | System Role with edit access to permissions can elevate themselves to system admin | Mattermost | Mattermost | Medium | 4.7 | 2024-08-22 06:39:55 | Deep Dive |
| CVE-2024-42411 | User creation date manipulation in POST /api/v4/users | Mattermost | Mattermost | Medium | 5.3 | 2024-08-22 06:32:57 | Deep Dive |
| CVE-2024-40886 | One-click Client-Side Path Traversal Leading to CSRF in User Management admin page | Mattermost | Mattermost | Medium | 4.6 | 2024-08-22 06:32:12 | Deep Dive |
| CVE-2024-43813 | IDOR when marking read a user's channel | Mattermost | Mattermost | Medium | 4.3 | 2024-08-22 06:30:59 | Deep Dive |
| CVE-2024-39810 | Server crash via Elasticsearch certificate file | Mattermost | Mattermost | Medium | 4.9 | 2024-08-22 06:30:12 | Deep Dive |
| CVE-2024-32939 | Email addresses of remote users visible in props regardless of server settings | Mattermost | Mattermost | Medium | 4.3 | 2024-08-22 06:29:01 | Deep Dive |
| CVE-2024-39836 | Munged email address used for password resets and notifications | Mattermost | Mattermost | Medium | 4.8 | 2024-08-22 06:27:10 | Deep Dive |
| CVE-2024-41926 | Malicious remote can claim that a user was synced from another remote | Mattermost | Mattermost | Low | 2.7 | 2024-08-01 14:05:11 | Deep Dive |
| CVE-2024-41162 | Malicious remote can make an arbitrary local channel read-only | Mattermost | Mattermost | Medium | 4.1 | 2024-08-01 14:05:10 | Deep Dive |
| CVE-2024-41144 | Malicious remote can create/update/delete arbitrary posts in arbitrary channels | Mattermost | Mattermost | Medium | 5.5 | 2024-08-01 14:05:08 | Deep Dive |
| CVE-2024-39839 | Remote username set to an arbitrary string by remote user | Mattermost | Mattermost | Medium | 4.3 | 2024-08-01 14:05:07 | Deep Dive |
| CVE-2024-39837 | Malicious remote can create arbitrary channels | Mattermost | Mattermost | Low | 3.8 | 2024-08-01 14:05:06 | Deep Dive |
| CVE-2024-39832 | Permanently local data deletion by malicious remote | Mattermost | Mattermost | Medium | 6.8 | 2024-08-01 14:05:05 | Deep Dive |
| CVE-2024-39777 | Malicious remote can invite itself to an arbitrary local channel | Mattermost | Mattermost | High | 8.7 | 2024-08-01 14:05:04 | Deep Dive |
| CVE-2024-39274 | Malicious remote can add users to arbitrary teams and channels | Mattermost | Mattermost | High | 8.7 | 2024-08-01 14:05:03 | Deep Dive |
| CVE-2024-36492 | Existing local user overwritten by malicious remote | Mattermost | Mattermost | High | 7.4 | 2024-08-01 14:05:01 | Deep Dive |
| CVE-2024-29977 | Malicious remote can create arbitrary reactions on arbitrary posts | Mattermost | Mattermost | Low | 2.7 | 2024-08-01 14:05:00 | Deep Dive |
| CVE-2024-39767 | Spoofed push notifications from malicious server | Mattermost | Mattermost | Medium | 4.2 | 2024-07-15 08:43:10 | Deep Dive |
| CVE-2024-32945 | LaTeX post content manipulation via renderer state leak across contexts | Mattermost | Mattermost | Low | 2.6 | 2024-07-15 08:42:19 | Deep Dive |
| CVE-2024-6428 | Limited DoS due to permitting creating users with user-defined IDs | Mattermost | Mattermost | Medium | 5.3 | 2024-07-03 08:39:28 | Deep Dive |