Mattermost: Security Vulnerabilities
Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled.
CVSS Score
4.3
EPSS Score
0.003
Published
2023-11-27
Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a post even if the Hardened Mode setting was enabled
CVSS Score
4.3
EPSS Score
0.001
Published
2023-11-27
Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin
CVSS Score
4.3
EPSS Score
0.001
Published
2023-11-06
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.
CVSS Score
4.9
EPSS Score
0.001
Published
2023-11-06
Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-11-06
Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server
CVSS Score
3.7
EPSS Score
0.002
Published
2023-11-02
Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service.
CVSS Score
3.1
EPSS Score
0.001
Published
2023-11-02
Mattermost Desktop for MacOS fails to utilize the secure keyboard input functionality provided by macOS, allowing for other processes to read the keyboard input.
CVSS Score
2.9
EPSS Score
0.001
Published
2023-11-02
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged.
CVSS Score
4.7
EPSS Score
0.001
Published
2023-10-17
Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-10-17