Github.Com Mattermost Mattermost-Server vulnerabilities
222 known vulnerabilities affecting github.com/mattermost_mattermost-server.
Total CVEs
222
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH18MEDIUM100LOW22UNKNOWN72
Vulnerabilities
Page 7 of 12
CVE-2024-39836UNKNOWN≥ 9.5.0+incompatible, < 9.5.8+incompatible≥ 9.8.0+incompatible, < 9.8.3+incompatible+2 more2024-08-30
CVE-2024-39836 Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
osv
CVE-2024-39274UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-39274 Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
osv
CVE-2024-39839UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-39839 Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
osv
CVE-2024-41162UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-41162 Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server
Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server
Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server
osv
CVE-2024-41144UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-41144 Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
osv
CVE-2024-41926UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.9.0+incompatible, < 9.9.1+incompatible2024-08-06
CVE-2024-41926 Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
osv
CVE-2024-29977UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.9.0+incompatible, < 9.9.1+incompatible2024-08-06
CVE-2024-29977 Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server
Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server
Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server
osv
CVE-2024-36492UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-36492 Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
osv
CVE-2024-39832UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-39832 Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
osv
CVE-2024-39837LOW≥ 9.9.0, < 9.9.1≥ 9.5.0, < 9.5.72024-08-01
CVE-2024-39837 [LOW] CWE-284 Mattermost did not properly restrict channel creation
Mattermost did not properly restrict channel creation
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
ghsaosv
CVE-2024-1949UNKNOWN≥ 9.0.0+incompatible, < 9.4.2+incompatible2024-06-28
CVE-2024-1949 Mattermost race condition in github.com/mattermost/mattermost-server
Mattermost race condition in github.com/mattermost/mattermost-server
Mattermost race condition in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affect
osv
CVE-2023-48732UNKNOWN≥ 0, < 8.1.7+incompatible2024-06-28
CVE-2023-48732 Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server
Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server
Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that coul
osv
CVE-2024-23493UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible+1 more2024-06-28
CVE-2024-23493 Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server
Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server
Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from
osv
CVE-2024-1953UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible+1 more2024-06-28
CVE-2024-1953 Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server
Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server
Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerabil
osv
CVE-2024-24988UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible2024-06-28
CVE-2024-24988 Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server
Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server
Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from
osv
CVE-2024-1888UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible+1 more2024-06-28
CVE-2024-1888 Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server
Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server
Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports
osv
CVE-2024-1402UNKNOWN≥ 9.1.0+incompatible, < 9.1.5+incompatible≥ 9.2.0+incompatible, < 9.2.4+incompatible2024-06-28
CVE-2024-1402 Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server
Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server
Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to stan
osv
CVE-2024-1887UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible2024-06-28
CVE-2024-1887 Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server
Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server
Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing fa
osv
CVE-2024-1942UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible2024-06-28
CVE-2024-1942 Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server
Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server
Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped t
osv
CVE-2024-23488UNKNOWN≥ 9.0.0+incompatible, < 9.4.2+incompatible2024-06-28
CVE-2024-23488 Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server
Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server
Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go
osv