Github.Com Mattermost Mattermost-Server vulnerabilities

CVE-2024-2447 Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard G

CVE-2024-1952 Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server

CVE-2024-24776 Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerabi

CVE-2024-29221 Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please sugge

CVE-2024-28949 Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing f

CVE-2024-4183 [MEDIUM] CWE-400 Mattermost fails to limit the number of active sessions Mattermost fails to limit the number of active sessions Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.

CVE-2024-32046 [MEDIUM] CWE-200 Mattermost's detailed error messages reveal the full file path Mattermost's detailed error messages reveal the full file path Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored

CVE-2024-4182 [MEDIUM] CWE-754 Mattermost crashes web clients via a malformed custom status Mattermost crashes web clients via a malformed custom status Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.

CVE-2024-22091 [LOW] CWE-400 Mattermost fails to limit the size of a request path Mattermost fails to limit the size of a request path Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths

CVE-2024-4198 [LOW] CWE-284 Mattermost fails to fully validate role changes Mattermost fails to fully validate role changes Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

CVE-2024-4195 [LOW] CWE-284 Mattermost allows team admins to promote guests to team admins Mattermost allows team admins to promote guests to team admins Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

CVE-2024-28053 [LOW] CWE-400 Mattermost Server Resource Exhaustion Mattermost Server Resource Exhaustion Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.

CVE-2023-5968 [MEDIUM] CWE-116 Mattermost password hash disclosure vulnerability Mattermost password hash disclosure vulnerability Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.

CVE-2023-1775 [MEDIUM] CWE-668 Mattermost vulnerable to information disclosure Mattermost vulnerable to information disclosure When running in a High Availability configuration, Mattermost fails to sanitize some of the `user_updated` and` post_deleted` events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00138

CVE-2023-1777 [MEDIUM] CWE-668 Mattermost vulnerable to information disclosure Mattermost vulnerable to information disclosure Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.

CVE-2023-1774 [MEDIUM] CWE-862 Mattermost fails to properly authentication inviter's permissions to private channel Mattermost fails to properly authentication inviter's permissions to private channel When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00137

CVE-2023-1776 [MEDIUM] CWE-79 Mattermost vulnerable to cross-site scripting (XSS) Mattermost vulnerable to cross-site scripting (XSS) Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00139

CVE-2022-4045 [MEDIUM] CWE-770 Denial of service in Mattermost Denial of service in Mattermost A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data.

CVE-2022-4044 [MEDIUM] CWE-770 Denial of service in Mattermost Denial of service in Mattermost A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages.

CVE-2022-1982 [MEDIUM] CWE-400 Uncontrolled Resource Consumption in Mattermost server Uncontrolled Resource Consumption in Mattermost server Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.