Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 352

All 352 CVE vulnerabilities found in Mattermost, with AI-generated Chinese analysis, references, and POCs.

Vendor: Mattermost

CVE IDTitleCVSSSeverityPublished
CVE-2024-43105 Excessive Resource Consumption via `/export` CWE-400 4.3 Medium2024-08-23
CVE-2024-43780 Unauthorized channel file upload CWE-284 4.3 Medium2024-08-22
CVE-2024-40884 Unauthorized disabling of invite URL CWE-284 2.7 Low2024-08-22
CVE-2024-42497 Insufficient permissions checks on teams CWE-284 6.0 Medium2024-08-22
CVE-2024-8071 System Role with edit access to permissions can elevate themselves to system admin CWE-284 4.7 Medium2024-08-22
CVE-2024-42411 User creation date manipulation in POST /api/v4/users CWE-754 5.3 Medium2024-08-22
CVE-2024-40886 One-click Client-Side Path Traversal Leading to CSRF in User Management admin page CWE-352 4.6 Medium2024-08-22
CVE-2024-43813 IDOR when marking read a user's channel CWE-284 4.3 Medium2024-08-22
CVE-2024-39810 Server crash via Elasticsearch certificate file CWE-400 4.9 Medium2024-08-22
CVE-2024-32939 Email addresses of remote users visible in props regardless of server settings CWE-284 4.3 Medium2024-08-22
CVE-2024-39836 Munged email address used for password resets and notifications CWE-693 4.8 Medium2024-08-22
CVE-2024-41926 Malicious remote can claim that a user was synced from another remote CWE-284 2.7 Low2024-08-01
CVE-2024-41162 Malicious remote can make an arbitrary local channel read-only CWE-284 4.1 Medium2024-08-01
CVE-2024-41144 Malicious remote can create/update/delete arbitrary posts in arbitrary channels CWE-284 5.5 Medium2024-08-01
CVE-2024-39839 Remote username set to an arbitrary string by remote user CWE-284 4.3 Medium2024-08-01
CVE-2024-39837 Malicious remote can create arbitrary channels CWE-284 3.8 Low2024-08-01
CVE-2024-39832 Permanently local data deletion by malicious remote CWE-754 6.8 Medium2024-08-01
CVE-2024-39777 Malicious remote can invite itself to an arbitrary local channel CWE-284 8.7 High2024-08-01
CVE-2024-39274 Malicious remote can add users to arbitrary teams and channels CWE-284 8.7 High2024-08-01
CVE-2024-36492 Existing local user overwritten by malicious remote CWE-284 7.4 High2024-08-01
CVE-2024-29977 Malicious remote can create arbitrary reactions on arbitrary posts CWE-284 2.7 Low2024-08-01
CVE-2024-39767 Spoofed push notifications from malicious server CWE-287 4.2 Medium2024-07-15
CVE-2024-32945 LaTeX post content manipulation via renderer state leak across contexts CWE-909 2.6 Low2024-07-15
CVE-2024-6428 Limited DoS due to permitting creating users with user-defined IDs CWE-284 5.3 Medium2024-07-03
CVE-2024-39353 RemoteClusterFrame payloads are audit logged in full CWE-200 2.7 Low2024-07-03
CVE-2024-39361 Creating posts with user-defined IDs permitted in CreatePost API CWE-284 3.1 Low2024-07-03
CVE-2024-39830 Timing attack during remote cluster token comparison when shared channels are enabled CWE-287 8.1 High2024-07-03
CVE-2024-39807 Channel IDs of archived/restored channels leaked via webhook events CWE-200 3.1 Low2024-07-03
CVE-2024-36257 Lack of permission check when updating the profile picture of a remote user (shared channels enabled) CWE-284 2.7 Low2024-07-03
CVE-2024-37182 Lack of permissions prompting when opening external URLs CWE-693 4.7 Medium2024-06-14

All 352 known CVE vulnerabilities affecting Mattermost with full Chinese analysis, references, and POCs where available.