Mattermost Server vulnerabilities

CVE-2019-20875 [MEDIUM] CWE-287 CVE-2019-20875: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a pas An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed.

CVE-2019-20867 [MEDIUM] CVE-2019-20867: An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel's post loading via one crafted post.

CVE-2020-14457 [MEDIUM] CVE-2020-14457: An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.

CVE-2017-18877 [MEDIUM] CWE-79 CVE-2017-18877: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.

CVE-2017-18895 [MEDIUM] CWE-200 CVE-2017-18895: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.

CVE-2016-11070 [MEDIUM] CWE-79 CVE-2016-11070: An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.

CVE-2019-20884 [MEDIUM] CVE-2019-20884: An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post.

CVE-2017-18898 [MEDIUM] CWE-404 CVE-2017-18898: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.

CVE-2017-18870 [MEDIUM] CWE-732 CVE-2017-18870: An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook a An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case.

CVE-2017-18879 [MEDIUM] CWE-79 CVE-2017-18879: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment.

CVE-2016-11083 [MEDIUM] CWE-79 CVE-2016-11083: An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.

CVE-2019-20879 [MEDIUM] CWE-287 CVE-2019-20879: An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-ma An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry.

CVE-2019-20876 [MEDIUM] CVE-2019-20876: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deact An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy.

CVE-2019-20873 [MEDIUM] CVE-2019-20873: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attac An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation.

CVE-2019-20860 [MEDIUM] CVE-2019-20860: An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows rem An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of service (application hang) via a crafted SVG document.

CVE-2017-18872 [MEDIUM] CWE-732 CVE-2017-18872: An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider.

CVE-2017-18893 [MEDIUM] CWE-79 CVE-2017-18893: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.

CVE-2018-21252 [MEDIUM] CWE-732 CVE-2018-21252: An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could u An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could use multiple e-mail addresses to bypass a domain-based policy for signups.

CVE-2017-18897 [MEDIUM] CWE-601 CVE-2017-18897: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.

CVE-2017-18887 [MEDIUM] CWE-200 CVE-2017-18887: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team c An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.