Mattermost Server vulnerabilities

CVE-2016-11066 [HIGH] CWE-200 CVE-2016-11066: An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessar An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.

CVE-2016-11063 [MEDIUM] CWE-79 CVE-2016-11063: An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview. An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview.

CVE-2016-11068 [MEDIUM] CWE-74 CVE-2016-11068: An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via inje An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.

CVE-2019-20887 [MEDIUM] CWE-862 CVE-2019-20887: An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not hon An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.

CVE-2019-20844 [MEDIUM] CWE-924 CVE-2019-20844: An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. An at An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. An attacker can spoof a direct-message channel by changing the type of a channel.

CVE-2020-14452 [MEDIUM] CWE-22 CVE-2020-14452: An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTT An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.

CVE-2017-18899 [MEDIUM] CWE-770 CVE-2017-18899: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting.

CVE-2016-11073 [MEDIUM] CWE-79 CVE-2016-11073: An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support sett An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.

CVE-2017-18876 [MEDIUM] CWE-732 CVE-2017-18876: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for f An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file.

CVE-2017-18921 [MEDIUM] CWE-79 CVE-2017-18921: An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page.

CVE-2016-11078 [MEDIUM] CWE-200 CVE-2016-11078: An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.

CVE-2019-20890 [MEDIUM] CVE-2019-20890: An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discov An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions.

CVE-2019-20878 [MEDIUM] CVE-2019-20878: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled.

CVE-2016-11081 [MEDIUM] CWE-200 CVE-2016-11081: An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to informatio An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.

CVE-2019-20870 [MEDIUM] CWE-20 CVE-2019-20870: An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appe An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post's file ID.

CVE-2017-18878 [MEDIUM] CWE-732 CVE-2017-18878: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session.

CVE-2019-20877 [MEDIUM] CVE-2019-20877: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attac An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled.

CVE-2017-18881 [MEDIUM] CWE-79 CVE-2017-18881: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a g An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a goto_location response to a slash command.

CVE-2017-18882 [MEDIUM] CWE-79 CVE-2017-18882: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenG An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data.

CVE-2019-20866 [MEDIUM] CWE-444 CVE-2019-20866: An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.