Mattermost Server vulnerabilities

417 known vulnerabilities affecting mattermost/mattermost_server.

Total CVEs

417

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL16HIGH77MEDIUM288LOW36

Vulnerabilities

Page 10 of 21

CVE-2024-40884LOWCVSS 2.7≥ 9.5.0, < 9.5.8v9.10.02024-08-22

CVE-2024-40884 [LOW] CWE-284 CVE-2024-40884: Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allo Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.

nvd

CVE-2024-41144HIGHCVSS 7.1≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+2 more2024-08-01

CVE-2024-41144 [HIGH] CWE-284 CVE-2024-41144: Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels

nvd

CVE-2024-39837MEDIUMCVSS 5.4≥ 9.5.0, < 9.5.7v9.9.02024-08-01

CVE-2024-39837 [MEDIUM] CWE-284 CVE-2024-39837: Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.

nvd

CVE-2024-41926MEDIUMCVSS 4.3≥ 9.5.0, < 9.5.7v9.9.02024-08-01

CVE-2024-41926 [MEDIUM] CWE-284 CVE-2024-41926: Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages a Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.

nvd

CVE-2024-41162MEDIUMCVSS 4.3≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+2 more2024-08-01

CVE-2024-41162 [MEDIUM] CWE-284 CVE-2024-41162: Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disall Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only.

nvd

CVE-2024-39839MEDIUMCVSS 4.3≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+2 more2024-08-01

CVE-2024-39839 [MEDIUM] CWE-284 CVE-2024-39839: Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced b

nvd

CVE-2024-36241MEDIUMCVSS 4.3≥ 8.1.0, < 8.1.13≥ 9.5.0, < 9.5.4+1 more2024-05-26

CVE-2024-36241 [MEDIUM] CWE-284 CVE-2024-36241: Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access controls which allows user to view arbitrary post contents via the /playbook add slash command

nvd

CVE-2024-34152MEDIUMCVSS 4.3≥ 8.1.0, < 8.1.13≥ 9.5.0, < 9.5.4+1 more2024-05-26

CVE-2024-34152 [MEDIUM] CWE-284 CVE-2024-34152: Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper access Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper access control which allows a guest to get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRuns GraphQL query request to the server

nvd

CVE-2024-5272MEDIUMCVSS 4.3≥ 8.1.0, < 8.1.13≥ 9.5.0, < 9.5.4+1 more2024-05-26

CVE-2024-5272 [MEDIUM] CWE-284 CVE-2024-5272: Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished.

nvd

CVE-2024-36255MEDIUMCVSS 5.7≥ 8.1.0, < 8.1.13≥ 9.5.0, < 9.5.4+1 more2024-05-26

CVE-2024-36255 [MEDIUM] CWE-352 CVE-2024-36255: Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly runs a slash command in some arbitrary channel.

nvd

CVE-2024-5270MEDIUMCVSS 4.3≥ 8.1.0, < 8.1.13≥ 9.5.0, < 9.5.4+2 more2024-05-26

CVE-2024-5270 [MEDIUM] CWE-284 CVE-2024-5270: Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and p

nvd

CVE-2024-34029MEDIUMCVSS 4.3≥ 8.1.0, < 8.1.13≥ 9.5.0, < 9.5.4+1 more2024-05-26

CVE-2024-34029 [MEDIUM] CWE-200 CVE-2024-34029: Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x <= 8.1.12 fail to perform a proper auth Mattermost versions 9.5.x /channels//link endpoint which allows a user to learn the members of an AD/LDAP group that is linked to a team by adding the group to a channel, even if the user has no access to the team.

nvd

CVE-2024-31859MEDIUMCVSS 6.3≥ 8.1.0, < 8.1.13≥ 9.5.0, < 9.5.4+1 more2024-05-26

CVE-2024-31859 [MEDIUM] CWE-284 CVE-2024-31859: Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper author Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin

nvd

CVE-2024-32045MEDIUMCVSS 5.9≥ 8.1.0, < 8.1.13≥ 9.5.0, < 9.5.4+1 more2024-05-26

CVE-2024-32045 [MEDIUM] CWE-284 CVE-2024-32045: Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access co Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of.

nvd

CVE-2024-29215MEDIUMCVSS 4.3≥ 8.1.0, < 8.1.13≥ 9.5.0, < 9.5.4+2 more2024-05-26

CVE-2024-29215 [MEDIUM] CWE-284 CVE-2024-29215: Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access control which allows a user to run a slash command in a channel they are not a member of via linking a playbook run to that channel and running a slash command as a playbook task command.

nvd

CVE-2024-32046MEDIUMCVSS 4.3≥ 8.1.0, < 8.1.12≥ 9.4.0, < 9.4.5+2 more2024-04-26

CVE-2024-32046 [MEDIUM] CWE-200 CVE-2024-32046: Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remov Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored

nvd

CVE-2024-4183MEDIUMCVSS 6.5≥ 8.1.0, < 8.1.12≥ 9.4.0, < 9.4.5+2 more2024-04-26

CVE-2024-4183 [MEDIUM] CWE-400 CVE-2024-4183: Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.

nvd

CVE-2024-22091MEDIUMCVSS 6.5≥ 8.1.0, < 8.1.12≥ 9.5.0, < 9.5.3+1 more2024-04-26

CVE-2024-22091 [MEDIUM] CWE-400 CVE-2024-22091: Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limi Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths

nvd

CVE-2024-4182MEDIUMCVSS 4.3≥ 8.1.0, < 8.1.12≥ 9.4.0, < 9.4.5+2 more2024-04-26

CVE-2024-4182 [MEDIUM] CWE-754 CVE-2024-4182: Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to h Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.

nvd

CVE-2024-4195LOWCVSS 2.7≥ 8.1.0, < 8.1.12≥ 9.5.0, < 9.5.32024-04-26

CVE-2024-4195 [LOW] CWE-284 CVE-2024-4195: Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role c Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

nvd

← Previous10 / 21Next →