cbcvebase.

Github.Com Mattermost Mattermost-Server V6 vulnerabilities

47 known vulnerabilities affecting github.com/mattermost_mattermost-server_v6.

Total CVEs
47
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM36LOW8

Vulnerabilities

Page 1 of 3
CVE-2022-1384P3HIGH≥ 6.4.0, < 6.5.02022-04-20
CVE-2022-1384 [HIGH] CWE-862 Insecure plugin handling in Mattermost Insecure plugin handling in Mattermost Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.
ghsaosv
CVE-2023-6458P3HIGH≥ 0, < 7.8.142023-12-06
CVE-2023-6458 [HIGH] CWE-22 Mattermost Injection vulnerability Mattermost Injection vulnerability Mattermost webapp fails to validate route parameters in//channels/ allowing an attacker to perform a client-side path traversal.
ghsaosv
CVE-2023-2515P3HIGH≥ 0, < 7.1.8≥ 7.2.0, < 7.7.4+2 more2023-05-12
CVE-2023-2515 [HIGH] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin
ghsaosv
CVE-2023-40703P3MEDIUM≥ 0, < 7.8.132023-11-27
CVE-2023-40703 [MEDIUM] CWE-400 Mattermost Uncontrolled Resource Consumption vulnerability Mattermost Uncontrolled Resource Consumption vulnerability Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string.
ghsaosv
CVE-2023-48268P3MEDIUM≥ 0, < 7.8.132023-11-27
CVE-2023-48268 [MEDIUM] CWE-400 Mattermost Uncontrolled Resource Consumption vulnerability Mattermost Uncontrolled Resource Consumption vulnerability Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb).
ghsaosv
CVE-2023-4108P3MEDIUM≥ 0, < 7.8.8≥ 7.9.0, < 7.9.6+1 more2023-08-11
CVE-2023-4108 [MEDIUM] CWE-200 Mattermost fails to sanitize post metadata Mattermost fails to sanitize post metadata Mattermost fails to sanitize post metadata during audit logging, resulting in permalinks' contents being logged.
ghsaosv
CVE-2025-49222P3MEDIUM≥ 0, ≤ 5.7.22025-08-21
CVE-2025-49222 [MEDIUM] CWE-434 Mattermost Fails to Validate Remote Cluster Upload Sessions Mattermost Fails to Validate Remote Cluster Upload Sessions Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.
ghsaosv
CVE-2023-4107P3MEDIUM≥ 0, < 7.8.8≥ 7.9.0, < 7.9.6+1 more2023-08-11
CVE-2023-4107 [MEDIUM] CWE-284 Mattermost does not validate requesting user permissions before updating admin details Mattermost does not validate requesting user permissions before updating admin details Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.
ghsaosv
CVE-2022-1337P4MEDIUM≥ 0, < 6.4.22022-04-14
CVE-2022-1337 [MEDIUM] CWE-400 Resource exhaustion in Mattermost Resource exhaustion in Mattermost The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files.
ghsaosv
CVE-2023-5196P4MEDIUM≥ 0, < 7.8.102023-09-29
CVE-2023-5196 [MEDIUM] CWE-400 Mattermost Uncontrolled Resource Consumption vulnerability Mattermost Uncontrolled Resource Consumption vulnerability Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users.
ghsaosv
CVE-2023-1775P4MEDIUM≥ 6.0.0, < 7.1.62023-03-31
CVE-2023-1775 [MEDIUM] CWE-668 Mattermost vulnerable to information disclosure Mattermost vulnerable to information disclosure When running in a High Availability configuration, Mattermost fails to sanitize some of the `user_updated` and` post_deleted` events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00138
ghsaosv
CVE-2024-28053P4LOW≥ 0, < 0.0.0-20240209181221-674f549daf0e2024-03-15
CVE-2024-28053 [LOW] CWE-400 Mattermost Server Resource Exhaustion Mattermost Server Resource Exhaustion Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.
ghsaosv
CVE-2022-2401P4MEDIUM≥ 0, < 6.3.9≥ 6.4.0, < 6.5.2+2 more2022-07-15
CVE-2022-2401 [MEDIUM] CWE-200 Mattermost users could access some sensitive information via API call Mattermost users could access some sensitive information via API call Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.
ghsaosv
CVE-2023-4106P4MEDIUM≥ 7.9.0, < 7.9.6≥ 7.10.0, < 7.10.4+1 more2023-08-11
CVE-2023-4106 [MEDIUM] CWE-284 Mattermost fails to check if user is a guest before performing actions on public playbooks Mattermost fails to check if user is a guest before performing actions on public playbooks Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks.
ghsaosv
CVE-2024-39837P4LOW≥ 0, < 6.0.0-20240626164322-c758cecaf30c2024-08-01
CVE-2024-39837 [LOW] CWE-284 Mattermost did not properly restrict channel creation Mattermost did not properly restrict channel creation Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
ghsaosv
CVE-2022-3257P4MEDIUM≥ 7.1.0, < 7.2.02022-09-25
CVE-2022-3257 [MEDIUM] CWE-434 Mattermost subject to Denial of Service via upload of special GIF Mattermost subject to Denial of Service via upload of special GIF Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.
ghsaosv
CVE-2023-5969P4MEDIUM≥ 0, < 7.8.122023-11-06
CVE-2023-5969 [MEDIUM] CWE-400 Mattermost vulnerable to excessive memory consumption Mattermost vulnerable to excessive memory consumption Mattermost fails to properly sanitize the request to `/api/v4/redirect_location` allowing an attacker, sending a specially crafted request to `/api/v4/redirect_location`, to fill up the memory due to caching large items.
ghsaosv
CVE-2023-1776P4MEDIUM≥ 6.0.0, < 7.1.6≥ 3.3.0, < 7.1.62023-03-31
CVE-2023-1776 [MEDIUM] CWE-79 Mattermost vulnerable to cross-site scripting (XSS) Mattermost vulnerable to cross-site scripting (XSS) Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00139
ghsaosv
CVE-2025-36530P4MEDIUM≥ 0, ≤ 6.7.22025-08-21
CVE-2025-36530 [MEDIUM] CWE-22 Mattermost Fails to Validate File Paths Mattermost Fails to Validate File Paths Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.
ghsaosv
CVE-2025-8023P4MEDIUM≥ 0, ≤ 6.7.22025-08-21
CVE-2025-8023 [MEDIUM] CWE-22 Mattermost Fails to Sanitize Path Traversal Sequences Mattermost Fails to Sanitize Path Traversal Sequences Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.
ghsaosv
Github.Com Mattermost Mattermost-Server V6 vulnerabilities | cvebase