Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by Mattermost:MattermostMattermost Confluence PluginMattermost DesktopMattermost BoardsMattermost PlaybooksMattermost App FrameworkFocalboardPlaybooks PluginMattermost Github PluginMattermost iOS appMattermost PluginsMattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2023-2788 Deactivated user can retain access using oauth2 api — MattermostCWE-862 6.2 Medium2023-06-16
CVE-2023-2787 Collapsed Reply Threads APIs leak message contents from private channels — MattermostCWE-862 6.5 Medium2023-06-16
CVE-2023-2786 Channel commands execution doesn't properly verify permissions — MattermostCWE-862 4.3 Medium2023-06-16
CVE-2023-2784 Apps Framework allows install requests from regular members via an internal path — Mattermost App FrameworkCWE-862 4.2 Medium2023-06-16
CVE-2023-2783 App Framework does not checks for the secret provided in the incoming webhook request — Mattermost App FrameworkCWE-862 4.3 Medium2023-06-16
CVE-2023-2808 Lack of URL normalization allows rendering previews for disallowed domains — MattermostCWE-20 4.3 Medium2023-05-29
CVE-2023-2514 DB username/password revealed in application logs — MattermostCWE-200 6.7 Medium2023-05-12
CVE-2023-2515 Privilege escalation to system admin via personal access tokens — MattermostCWE-863 4.7 Medium2023-05-12
CVE-2023-2000 Unrestricted navigation due to unvalidated mattermost server redirection — MattermostCWE-601 5.4 Medium2023-05-02
CVE-2023-2281 Archiving a team broadcasts unsanitized data over WebSockets — MattermostCWE-200 3.1 Low2023-04-25
CVE-2023-2193 Oauth authorization codes do not expire when deauthorizing an oauth2 app — MattermostCWE-862 6.5 Medium2023-04-20
CVE-2023-1831 User password logged in audit logs — MattermostCWE-200 7.2 High2023-04-17
CVE-2023-1777 Information disclosure in linked message previews — MattermostCWE-200 6.5 Medium2023-03-31
CVE-2023-1776 Stored XSS via SVG attachment on Boards — MattermostCWE-79 7.3 High2023-03-31
CVE-2023-1775 Unsanitized events sent over Websocket to regular users in a High Availability environment — MattermostCWE-200 4.3 Medium2023-03-31
CVE-2023-1774 Unauthorized email invite to a private channel — MattermostCWE-862 4.2 Medium2023-03-31
CVE-2023-1562 Full name revealed via /plugins/focalboard/api/v2/users — MattermostCWE-200 3.5 Low2023-03-22
CVE-2023-1421 Reflected XSS in OAuth flow completion endpoints — MattermostCWE-79 3.5 Low2023-03-15
CVE-2023-27266 Disclosure of team owner email address when when accessing the teams API — MattermostCWE-200 2.7 Low2023-02-27
CVE-2023-27265 Disclosure of team owner email address when regenerating Invite ID — MattermostCWE-200 2.7 Low2023-02-27
CVE-2023-27264 IDOR: Updating a playbook via the Playbooks API — MattermostCWE-862 7.1 High2023-02-27
CVE-2023-27263 IDOR: Accessing playbook runs via the Playbooks Runs API — MattermostCWE-862 4.3 Medium2023-02-27
CVE-2022-4045 Authenticated user could send multiple requests containing a parameter which could fetch a large amount of data and can crash a Mattermost server — MattermostCWE-770 3.1 Low2022-11-23
CVE-2022-4044 Authenticated user could send multiple requests containing a large Auto Responder Message payload and can crash a Mattermost server — MattermostCWE-770 4.3 Medium2022-11-23
CVE-2022-4019 Authenticated user could send multiple requests containing a large payload to a Playbooks API and can crash a Mattermost server — Playbooks PluginCWE-770 4.3 Medium2022-11-23
CVE-2022-3257 Server-side Denial of Service while processing a specifically crafted GIF file — MattermostCWE-400 3.1 Low2022-09-23
CVE-2022-3147 Server-side Denial of Service while processing a specifically crafted JPEG file — MattermostCWE-400 3.1 Low2022-09-09
CVE-2022-2408 Guest accounts can list all public channels — MattermostCWE-200 4.3 Medium2022-07-14
CVE-2022-2406 Malicious imports can lead to Denial of Service — MattermostCWE-400 4.3 Medium2022-07-14
CVE-2022-2401 Team members could access sensitive information of other users via an API call — MattermostCWE-200 6.5 Medium2022-07-14

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.