Mattermost Server vulnerabilities

CVE-2017-18903 [HIGH] CWE-352 CVE-2017-18903: An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.

CVE-2019-20886 [HIGH] CWE-269 CVE-2019-20886: An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.

CVE-2017-18884 [HIGH] CWE-269 CVE-2017-18884: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.

CVE-2020-14459 [HIGH] CWE-20 CVE-2020-14459: An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002.

CVE-2016-11069 [HIGH] CWE-521 CVE-2016-11069: An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at pas An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.

CVE-2019-20865 [HIGH] CWE-352 CVE-2019-20865: An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.

CVE-2019-20885 [HIGH] CWE-862 CVE-2019-20885: An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.

CVE-2019-20843 [HIGH] CWE-281 CVE-2019-20843: An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files.

CVE-2016-11066 [HIGH] CWE-200 CVE-2016-11066: An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessar An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.

CVE-2016-11063 [MEDIUM] CWE-79 CVE-2016-11063: An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview. An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview.

CVE-2016-11068 [MEDIUM] CWE-74 CVE-2016-11068: An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via inje An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.

CVE-2019-20887 [MEDIUM] CWE-862 CVE-2019-20887: An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not hon An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.

CVE-2019-20844 [MEDIUM] CWE-924 CVE-2019-20844: An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. An at An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. An attacker can spoof a direct-message channel by changing the type of a channel.

CVE-2020-14452 [MEDIUM] CWE-22 CVE-2020-14452: An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTT An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.

CVE-2017-18899 [MEDIUM] CWE-770 CVE-2017-18899: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting.

CVE-2016-11073 [MEDIUM] CWE-79 CVE-2016-11073: An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support sett An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.

CVE-2017-18876 [MEDIUM] CWE-732 CVE-2017-18876: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for f An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file.

CVE-2017-18921 [MEDIUM] CWE-79 CVE-2017-18921: An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page.

CVE-2016-11078 [MEDIUM] CWE-200 CVE-2016-11078: An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.

CVE-2019-20890 [MEDIUM] CVE-2019-20890: An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discov An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions.