Mattermost Server vulnerabilities

CVE-2019-20841 [HIGH] CWE-352 CVE-2019-20841: An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks.

CVE-2019-20881 [HIGH] CWE-307 CVE-2019-20881: An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.

CVE-2018-21258 [HIGH] CWE-74 CVE-2018-21258: An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of se An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command.

CVE-2019-20871 [HIGH] CVE-2019-20871: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown li An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking.

CVE-2019-20842 [HIGH] CWE-89 CVE-2019-20842: An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels.

CVE-2020-14447 [HIGH] CWE-835 CVE-2020-14447: An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers t An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021.

CVE-2018-21262 [HIGH] CWE-20 CVE-2018-21262: An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text.

CVE-2019-20846 [HIGH] CWE-281 CVE-2019-20846: An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage.

CVE-2015-9548 [HIGH] CWE-400 CVE-2015-9548: An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed.

CVE-2017-18894 [HIGH] CWE-732 CVE-2017-18894: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.

CVE-2018-21264 [HIGH] CWE-20 CVE-2018-21264: An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response.

CVE-2019-20855 [HIGH] CVE-2019-20855: An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows att An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration.

CVE-2017-18903 [HIGH] CWE-352 CVE-2017-18903: An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.

CVE-2019-20886 [HIGH] CWE-269 CVE-2019-20886: An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.

CVE-2017-18884 [HIGH] CWE-269 CVE-2017-18884: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.

CVE-2020-14459 [HIGH] CWE-20 CVE-2020-14459: An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002.

CVE-2016-11069 [HIGH] CWE-521 CVE-2016-11069: An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at pas An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.

CVE-2019-20865 [HIGH] CWE-352 CVE-2019-20865: An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.

CVE-2019-20885 [HIGH] CWE-862 CVE-2019-20885: An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.

CVE-2019-20843 [HIGH] CWE-281 CVE-2019-20843: An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files.