cbcvebase.

Github.Com Mattermost Mattermost Server V8 vulnerabilities

199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.

Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48

Vulnerabilities

Page 9 of 10
CVE-2023-45223P4MEDIUM≥ 0, < 8.1.42023-11-27
CVE-2023-45223 [MEDIUM] CWE-200 Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled.
ghsaosv
CVE-2023-43754P4MEDIUM≥ 9.1.0, < 9.1.1≥ 9.0.0, < 9.0.2+1 more2023-11-27
CVE-2023-43754 [MEDIUM] CWE-200 Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability Mattermost fails to check whether the "Allow users to view archived channels" setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the "Allow users to view archived channels" setting is disabled.
ghsaosv
CVE-2023-47865P4MEDIUM≥ 0, < 8.1.42023-11-27
CVE-2023-47865 [MEDIUM] CWE-284 Mattermost Improper Access Control vulnerability Mattermost Improper Access Control vulnerability Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a post even if the Hardened Mode setting was enabled
ghsaosv
CVE-2024-1952P4LOW≥ 9.0.0, < 9.4.02024-02-29
CVE-2024-1952 [LOW] CWE-200 Mattermost incorrectly allows access individual posts Mattermost incorrectly allows access individual posts Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of.
ghsaosv
CVE-2024-1942P4MEDIUM≥ 9.3.0, < 9.3.1≥ 9.2.0, < 9.2.5+1 more2024-02-29
CVE-2024-1942 [MEDIUM] CWE-284 Mattermost allows attackers access to posts in channels they are not a member of Mattermost allows attackers access to posts in channels they are not a member of Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.
ghsaosv
CVE-2023-47858P4MEDIUM≥ 0, < 8.1.12024-01-02
CVE-2023-47858 [MEDIUM] CWE-284 Mattermost viewing archived public channels permissions vulnerability Mattermost viewing archived public channels permissions vulnerability Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams//channels/deleted endpoint.
ghsaosv
CVE-2024-10241P4MEDIUM≥ 0, < 8.0.0-20240813135334-8f3a13122f552024-10-29
CVE-2024-10241 [MEDIUM] CWE-284 Mattermost Server allows user to get private channel names Mattermost Server allows user to get private channel names Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.
ghsaosv
CVE-2025-2564P4MEDIUM≥ 10.5.0, < 10.5.2≥ 10.4.0, < 10.4.4+2 more2025-04-16
CVE-2025-2564 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.
ghsaosv
CVE-2025-64641P4MEDIUM≥ 0, < 8.0.0-20251121122154-b57c297c6d72025-12-24
CVE-2025-64641 [MEDIUM] CWE-863 Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Ji
ghsaosv
CVE-2024-1402P4MEDIUM≥ 0, < 8.1.8≥ 9.2.0, < 9.2.4+1 more2024-02-09
CVE-2024-1402 [MEDIUM] CWE-400 Mattermost vulnerable to denial of service via large number of emoji reactions Mattermost vulnerable to denial of service via large number of emoji reactions Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post. Fetching posts wit
ghsaosv
CVE-2023-48732P4MEDIUM≥ 0, < 8.1.72024-01-02
CVE-2023-48732 [MEDIUM] CWE-200 Mattermost notified all users in the channel when using WebSockets to respond individually Mattermost notified all users in the channel when using WebSockets to respond individually Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.
ghsaosv
CVE-2024-1888P4MEDIUM≥ 9.4.0, < 9.4.2≥ 9.3.0, < 9.3.1+2 more2024-02-29
CVE-2024-1888 [MEDIUM] CWE-284 Mattermost fails to check the "invite_guest" permission Mattermost fails to check the "invite_guest" permission Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server
ghsaosv
CVE-2023-50333P4LOW≥ 0, < 8.1.72024-01-02
CVE-2023-50333 [LOW] CWE-284 Mattermost allows demoted guests to change group names Mattermost allows demoted guests to change group names Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names.
ghsaosv
CVE-2025-4573P4MEDIUM≥ 0, < 8.0.0-20250414112942-77892234944b2025-06-11
CVE-2025-4573 [MEDIUM] CWE-90 Mattermost allows authenticated administrator to execute LDAP search filter injection Mattermost allows authenticated administrator to execute LDAP search filter injection Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT
ghsaosv
CVE-2025-54499P4LOW≥ 0, < 8.0.0-20250728063359-38208b8f065f2025-10-16
CVE-2025-54499 [LOW] CWE-208 Mattermost has an Observable Timing Discrepancy vulnerability Mattermost has an Observable Timing Discrepancy vulnerability Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets.
ghsaosv
CVE-2025-13324P4MEDIUM≥ 0, < 8.0.0-20251031095924-e7e23b94e0062025-12-17
CVE-2025-13324 [MEDIUM] CWE-863 Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation Mattermost versions 10.11.x < 10.11.5, 11.0.x < 11.0.4, 10.12.x < 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to
ghsaosv
CVE-2026-22545P4LOW≥ 0, < 8.0.0-20260127144908-ced9a56e39882026-03-16
CVE-2026-22545 [LOW] CWE-863 Mattermost fails to validate user's authentication method when processing account auth type switch Mattermost fails to validate user's authentication method when processing account auth type switch Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermos
ghsaosv
CVE-2026-6334P4LOW≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+1 more2026-05-18
CVE-2026-6334 [LOW] CWE-305 Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted
ghsa
CVE-2024-29221P4MEDIUM≥ 8.1.0, < 8.1.11≥ 9.5.0, < 9.5.2+2 more2024-04-05
CVE-2024-29221 [MEDIUM] CWE-284 Mattermost Server Improper Access Control Mattermost Server Improper Access Control Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.
ghsaosv
CVE-2025-3913P4MEDIUM≥ 10.7.0-rc1, < 10.7.1≥ 10.6.0-rc1, < 10.6.3+3 more2025-05-29
CVE-2025-3913 [MEDIUM] CWE-863 Mattermost improperly allows team administrators to modify team invites Mattermost improperly allows team administrators to modify team invites Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.
ghsaosv
Github.Com Mattermost Mattermost Server V8 vulnerabilities | cvebase