Mattermost Server vulnerabilities

CVE-2016-11065 [MEDIUM] CWE-732 CVE-2016-11065: An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket featu An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post's appearance.

CVE-2017-18905 [MEDIUM] CWE-613 CVE-2017-18905: An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.

CVE-2017-18916 [MEDIUM] CWE-732 CVE-2017-18916: An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access con An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.

CVE-2017-18914 [MEDIUM] CWE-754 CVE-2017-18914: An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can oc An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist.

CVE-2018-21250 [MEDIUM] CWE-400 CVE-2018-21250: An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attac An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions.

CVE-2016-11080 [MEDIUM] CWE-732 CVE-2016-11080: An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Adm An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.

CVE-2020-14460 [MEDIUM] CVE-2020-14460: An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creat An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001.

CVE-2016-11084 [MEDIUM] CWE-352 CVE-2016-11084: An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF. An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.

CVE-2016-11067 [MEDIUM] CWE-20 CVE-2016-11067: An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.

CVE-2016-11079 [MEDIUM] CWE-79 CVE-2016-11079: An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL. An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.

CVE-2016-11071 [MEDIUM] CWE-79 CVE-2016-11071: An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.

CVE-2017-18902 [MEDIUM] CWE-200 CVE-2017-18902: An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.

CVE-2018-21259 [MEDIUM] CWE-20 CVE-2018-21259: An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel.

CVE-2017-18874 [MEDIUM] CWE-22 CVE-2017-18874: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for f An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal.

CVE-2017-18873 [MEDIUM] CWE-20 CVE-2017-18873: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformatted post.

CVE-2017-18919 [MEDIUM] CWE-287 CVE-2017-18919: An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for u An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.

CVE-2018-21255 [MEDIUM] CWE-732 CVE-2018-21255: An issue was discovered in Mattermost Server before 5.1. Non-members of a channel could use the Chan An issue was discovered in Mattermost Server before 5.1. Non-members of a channel could use the Channel PATCH API to modify that channel.

CVE-2016-11072 [MEDIUM] CWE-287 CVE-2016-11072: An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Sessio An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled.

CVE-2017-18875 [MEDIUM] CWE-732 CVE-2017-18875: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for f An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.

CVE-2019-20869 [MEDIUM] CVE-2019-20869: An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member c An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel.