Security Vulnerabilities - CVEs Published In June 2020
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname.
CVSS Score
4.9
EPSS Score
0.001
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy.
CVSS Score
9.8
EPSS Score
0.005
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-06-19
Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials.
CVSS Score
7.1
EPSS Score
0.001
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-06-19