Mattermost Server vulnerabilities

CVE-2019-20878 [MEDIUM] CVE-2019-20878: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled.

CVE-2016-11081 [MEDIUM] CWE-200 CVE-2016-11081: An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to informatio An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.

CVE-2019-20870 [MEDIUM] CWE-20 CVE-2019-20870: An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appe An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post's file ID.

CVE-2017-18878 [MEDIUM] CWE-732 CVE-2017-18878: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session.

CVE-2019-20877 [MEDIUM] CVE-2019-20877: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attac An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled.

CVE-2017-18881 [MEDIUM] CWE-79 CVE-2017-18881: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a g An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a goto_location response to a slash command.

CVE-2017-18882 [MEDIUM] CWE-79 CVE-2017-18882: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenG An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data.

CVE-2019-20866 [MEDIUM] CWE-444 CVE-2019-20866: An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.

CVE-2019-20875 [MEDIUM] CWE-287 CVE-2019-20875: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a pas An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed.

CVE-2019-20867 [MEDIUM] CVE-2019-20867: An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel's post loading via one crafted post.

CVE-2020-14457 [MEDIUM] CVE-2020-14457: An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.

CVE-2017-18877 [MEDIUM] CWE-79 CVE-2017-18877: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.

CVE-2017-18895 [MEDIUM] CWE-200 CVE-2017-18895: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.

CVE-2016-11070 [MEDIUM] CWE-79 CVE-2016-11070: An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.

CVE-2019-20884 [MEDIUM] CVE-2019-20884: An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post.

CVE-2017-18898 [MEDIUM] CWE-404 CVE-2017-18898: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.

CVE-2017-18870 [MEDIUM] CWE-732 CVE-2017-18870: An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook a An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case.

CVE-2017-18879 [MEDIUM] CWE-79 CVE-2017-18879: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment.

CVE-2016-11083 [MEDIUM] CWE-79 CVE-2016-11083: An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.

CVE-2019-20879 [MEDIUM] CWE-287 CVE-2019-20879: An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-ma An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry.