Mattermost Server vulnerabilities

CVE-2019-20868 [HIGH] CWE-20 CVE-2019-20868: An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated. An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated.

CVE-2017-18917 [HIGH] CWE-916 CVE-2017-18917: An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used f An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.

CVE-2019-20880 [HIGH] CWE-770 CVE-2019-20880: An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attac An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph.

CVE-2019-20859 [HIGH] CVE-2019-20859: An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input.

CVE-2019-20874 [HIGH] CVE-2019-20874: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attac An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change.

CVE-2019-20862 [HIGH] CVE-2019-20862: An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash com An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands.

CVE-2019-20857 [HIGH] CVE-2019-20857: An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters.

CVE-2018-21263 [HIGH] CWE-287 CVE-2018-21263: An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authe An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response.

CVE-2019-20841 [HIGH] CWE-352 CVE-2019-20841: An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks.

CVE-2019-20881 [HIGH] CWE-307 CVE-2019-20881: An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.

CVE-2018-21258 [HIGH] CWE-74 CVE-2018-21258: An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of se An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command.

CVE-2019-20871 [HIGH] CVE-2019-20871: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown li An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking.

CVE-2019-20842 [HIGH] CWE-89 CVE-2019-20842: An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels.

CVE-2020-14447 [HIGH] CWE-835 CVE-2020-14447: An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers t An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021.

CVE-2018-21262 [HIGH] CWE-20 CVE-2018-21262: An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text.

CVE-2019-20846 [HIGH] CWE-281 CVE-2019-20846: An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage.

CVE-2015-9548 [HIGH] CWE-400 CVE-2015-9548: An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed.

CVE-2017-18894 [HIGH] CWE-732 CVE-2017-18894: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.

CVE-2018-21264 [HIGH] CWE-20 CVE-2018-21264: An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response.

CVE-2019-20855 [HIGH] CVE-2019-20855: An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows att An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration.