Github.Com Mattermost Mattermost-Plugin-Confluence vulnerabilities

CVE-2025-13523 [HIGH] CWE-79 Mattermost Confluence plugin doesn't properly escape user-controlled display names in HTML template rendering Mattermost Confluence plugin doesn't properly escape user-controlled display names in HTML template rendering Mattermost Confluence plugin version < 1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers

CVE-2025-52931 [HIGH] CWE-754 Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to the update channel subscription endpoint with an invalid request body.

CVE-2025-44004 [HIGH] CWE-306 Mattermost Confluence Plugin is Missing Authentication for Critical Function Mattermost Confluence Plugin is Missing Authentication for Critical Function Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint.

CVE-2025-54525 [HIGH] CWE-1287 Mattermost Confluence Plugin has Improper Validation of Specified Type of Input Mattermost Confluence Plugin has Improper Validation of Specified Type of Input Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to the create channel subscription endpoint with an invalid request body.

CVE-2025-54478 [MEDIUM] CWE-306 Mattermost Confluence Plugin is Missing Authentication for Critical Function Mattermost Confluence Plugin is Missing Authentication for Critical Function Mattermost Confluence Plugin versions < 1.5.0 fail to enforce user authentication of the Mattermost instance, allowing unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint.

CVE-2025-54463 [MEDIUM] CWE-754 Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to the server webhook endpoint with an invalid request body.

CVE-2025-53910 [MEDIUM] CWE-862 Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to create a channel subscription without proper access to the channel via an API call to the edit channel subscription endpoint.

CVE-2025-48731 [MEDIUM] CWE-862 Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to Confluence spaces, which allows attackers to edit subscriptions for Confluence spaces that users do not have access to through the edit subscription endpoint.

CVE-2025-8285 [MEDIUM] CWE-862 Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin versions < 1.5.0 fail to check the access of the user to the channel which allows attackers to create channel subscription without proper access to the channel via API call to the create channel subscription endpoint.

CVE-2025-54458 [MEDIUM] CWE-862 Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin versions < 1.5.0 fails to check user access of the Confluence space, allowing attackers to create a subscription to a Confluence space the user does not have access to via the create subscription endpoint.

CVE-2025-44001 [MEDIUM] CWE-862 Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, which allows attackers to get channel subscription details without proper access to the channel via an API call to the Get Channel Subscriptions details endpoint.

CVE-2025-53514 [MEDIUM] CWE-754 Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allow\ing attackers to crash the plugin via constant hits to the server webhook endpoint with an invalid request body.

CVE-2025-49221 [LOW] CWE-862 Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin versions < 1.5.0 fail to enforce authentication of the user to the Mattermost instance, which allows unauthenticated attackers to access subscription details via an API call to the GET subscription endpoint.

CVE-2025-53857 [LOW] CWE-862 Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint.