Mattermost Server vulnerabilities

CVE-2018-21248 [HIGH] CWE-522 CVE-2018-21248: An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous a An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials.

CVE-2020-14458 [HIGH] CVE-2020-14458: An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004.

CVE-2020-14453 [HIGH] CWE-345 CVE-2020-14453: An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropria An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005.

CVE-2017-18871 [HIGH] CVE-2017-18871: An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attack An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.

CVE-2020-14448 [HIGH] CWE-835 CVE-2020-14448: An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow a An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020.

CVE-2019-20845 [HIGH] CWE-770 CVE-2019-20845: An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import.

CVE-2017-18909 [HIGH] CWE-295 CVE-2017-18909: An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signatur An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.

CVE-2019-20858 [HIGH] CWE-400 CVE-2019-20858: An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint.

CVE-2017-18906 [HIGH] CWE-287 CVE-2017-18906: An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OA An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.

CVE-2017-18886 [HIGH] CWE-732 CVE-2017-18886: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of r An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands.

CVE-2019-20854 [HIGH] CVE-2019-20854: An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a de An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message.

CVE-2019-20863 [HIGH] CVE-2019-20863: An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properl An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted.

CVE-2019-20868 [HIGH] CWE-20 CVE-2019-20868: An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated. An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated.

CVE-2017-18917 [HIGH] CWE-916 CVE-2017-18917: An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used f An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.

CVE-2019-20880 [HIGH] CWE-770 CVE-2019-20880: An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attac An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph.

CVE-2019-20859 [HIGH] CVE-2019-20859: An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input.

CVE-2019-20874 [HIGH] CVE-2019-20874: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attac An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change.

CVE-2019-20862 [HIGH] CVE-2019-20862: An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash com An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands.

CVE-2019-20857 [HIGH] CVE-2019-20857: An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters.

CVE-2018-21263 [HIGH] CWE-287 CVE-2018-21263: An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authe An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response.