Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 352

All 352 CVE vulnerabilities found in Mattermost, with AI-generated Chinese analysis, references, and POCs.

Vendor: Mattermost

CVE IDTitleCVSSSeverityPublished
CVE-2023-3581 WebSockets accept connections from HTTPS origin CWE-346 6.2 Medium2023-07-17
CVE-2023-3577 Limited blind SSRF to localhost/intranet in interactive dialog implementation CWE-918 3.5 Low2023-07-17
CVE-2023-2785 Specially crafted search query can cause large log entries in postgres CWE-400 4.3 Medium2023-06-16
CVE-2023-2831 Denial of Service while unescaping a Markdown string CWE-400 4.3 Medium2023-06-16
CVE-2023-2793 Stack exhaustion in PreparePostForClientWithEmbedsAndImages CWE-400 6.5 Medium2023-06-16
CVE-2023-2792 Ephemeral messages return private channel contents in permalink previews CWE-200 6.5 Medium2023-06-16
CVE-2023-2791 Playbooks lets you edit arbitrary posts CWE-862 4.3 Medium2023-06-16
CVE-2023-2788 Deactivated user can retain access using oauth2 api CWE-862 6.2 Medium2023-06-16
CVE-2023-2787 Collapsed Reply Threads APIs leak message contents from private channels CWE-862 6.5 Medium2023-06-16
CVE-2023-2786 Channel commands execution doesn't properly verify permissions CWE-862 4.3 Medium2023-06-16
CVE-2023-2808 Lack of URL normalization allows rendering previews for disallowed domains CWE-20 4.3 Medium2023-05-29
CVE-2023-2514 DB username/password revealed in application logs CWE-200 6.7 Medium2023-05-12
CVE-2023-2515 Privilege escalation to system admin via personal access tokens CWE-863 4.7 Medium2023-05-12
CVE-2023-2000 Unrestricted navigation due to unvalidated mattermost server redirection CWE-601 5.4 Medium2023-05-02
CVE-2023-2281 Archiving a team broadcasts unsanitized data over WebSockets CWE-200 3.1 Low2023-04-25
CVE-2023-2193 Oauth authorization codes do not expire when deauthorizing an oauth2 app CWE-862 6.5 Medium2023-04-20
CVE-2023-1831 User password logged in audit logs CWE-200 7.2 High2023-04-17
CVE-2023-1777 Information disclosure in linked message previews CWE-200 6.5 Medium2023-03-31
CVE-2023-1776 Stored XSS via SVG attachment on Boards CWE-79 7.3 High2023-03-31
CVE-2023-1775 Unsanitized events sent over Websocket to regular users in a High Availability environment CWE-200 4.3 Medium2023-03-31
CVE-2023-1774 Unauthorized email invite to a private channel CWE-862 4.2 Medium2023-03-31
CVE-2023-1562 Full name revealed via /plugins/focalboard/api/v2/users CWE-200 3.5 Low2023-03-22
CVE-2023-1421 Reflected XSS in OAuth flow completion endpoints CWE-79 3.5 Low2023-03-15
CVE-2023-27266 Disclosure of team owner email address when when accessing the teams API CWE-200 2.7 Low2023-02-27
CVE-2023-27265 Disclosure of team owner email address when regenerating Invite ID CWE-200 2.7 Low2023-02-27
CVE-2023-27264 IDOR: Updating a playbook via the Playbooks API CWE-862 7.1 High2023-02-27
CVE-2023-27263 IDOR: Accessing playbook runs via the Playbooks Runs API CWE-862 4.3 Medium2023-02-27
CVE-2022-4045 Authenticated user could send multiple requests containing a parameter which could fetch a large amount of data and can crash a Mattermost server CWE-770 3.1 Low2022-11-23
CVE-2022-4044 Authenticated user could send multiple requests containing a large Auto Responder Message payload and can crash a Mattermost server CWE-770 4.3 Medium2022-11-23
CVE-2022-3257 Server-side Denial of Service while processing a specifically crafted GIF file CWE-400 3.1 Low2022-09-23

All 352 known CVE vulnerabilities affecting Mattermost with full Chinese analysis, references, and POCs where available.