All the vulnerabilites related to Mattermost - Mattermost
cve-2024-42000
Vulnerability from cvelistv5
Published
2024-11-09 17:17
Modified
2024-11-12 14:53
Severity ?
EPSS score ?
Summary
Unauthorized Access to view channels' details
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42000",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:52:58.078631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:53:08.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.10.2",
"status": "affected",
"version": "9.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.11.1",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.9",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "10.1.0"
},
{
"status": "unaffected",
"version": "9.10.3"
},
{
"status": "unaffected",
"version": "9.11.2"
},
{
"status": "unaffected",
"version": "9.5.10"
},
{
"status": "unaffected",
"version": "10.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "othman (3thm4n)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.10.x \u0026lt;= 9.10.2, 9.11.x \u0026lt;= 9.11.1, 9.5.x \u0026lt;= 9.5.9 and 10.0.x \u0026lt;= 10.0.0 fail to properly authorize the requests to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e/api/v4/channels\u003c/span\u003e \u0026nbsp;which allows\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ea User or System Manager, with \"Read Groups\" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to\u0026nbsp;/api/v4/channels.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.10.x \u003c= 9.10.2, 9.11.x \u003c= 9.11.1, 9.5.x \u003c= 9.5.9 and 10.0.x \u003c= 10.0.0 fail to properly authorize the requests to\u00a0/api/v4/channels \u00a0which allows\u00a0a User or System Manager, with \"Read Groups\" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to\u00a0/api/v4/channels."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-09T17:17:25.038Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.1.0, 9.10.3, 9.11.2, 9.5.10, 10.0.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.1.0, 9.10.3, 9.11.2, 9.5.10, 10.0.1 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00381",
"defect": [
"https://mattermost.atlassian.net/browse/MM-60239"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized Access to view channels\u0027 details",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-42000",
"datePublished": "2024-11-09T17:17:25.038Z",
"dateReserved": "2024-11-05T09:14:34.854Z",
"dateUpdated": "2024-11-12T14:53:08.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1421
Vulnerability from cvelistv5
Published
2023-03-15 22:51
Modified
2024-08-02 05:49
Severity ?
EPSS score ?
Summary
Reflected XSS in OAuth flow completion endpoints
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.322Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "7.7",
"status": "affected",
"version": "5.32.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "zerodivisi0n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter."
}
],
"value": "A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-15T22:51:25.597Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.7 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.7 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00131",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42334"
],
"discovery": "EXTERNAL"
},
"title": "Reflected XSS in OAuth flow completion endpoints",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1421",
"datePublished": "2023-03-15T22:51:25.597Z",
"dateReserved": "2023-03-15T22:45:54.197Z",
"dateUpdated": "2024-08-02T05:49:11.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45847
Vulnerability from cvelistv5
Published
2023-12-12 08:17
Modified
2024-08-02 20:29
Severity ?
EPSS score ?
Summary
Playbook Plugin Crash via Run Checklist
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.2.2"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.0.4"
},
{
"status": "unaffected",
"version": "9.1.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin\u003c/p\u003e"
}
],
"value": "Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:17:10.088Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.6, 9.0.4, 9.1.3,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.2.2\u0026nbsp;\u003c/span\u003eor higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.6, 9.0.4, 9.1.3,\u00a09.2.2\u00a0or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00231",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53752"
],
"discovery": "EXTERNAL"
},
"title": " Playbook Plugin Crash via Run Checklist",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-45847",
"datePublished": "2023-12-12T08:17:10.088Z",
"dateReserved": "2023-12-05T08:04:35.036Z",
"dateUpdated": "2024-08-02T20:29:32.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-10214
Vulnerability from cvelistv5
Published
2024-10-28 14:12
Modified
2024-10-28 14:55
Severity ?
EPSS score ?
Summary
Incorrect Session Creation with Desktop SSO
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10214",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T14:55:40.968981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T14:55:50.766Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.11.1",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.9",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "9.11.2"
},
{
"status": "unaffected",
"version": "9.5.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ben Cooke"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.11.X \u0026lt;= 9.11.1, 9.5.x \u0026lt;= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.11.X \u003c= 9.11.1, 9.5.x \u003c= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T14:12:37.346Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.11.2, 9.5.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.0.0, 9.11.2, 9.5.10 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00363",
"defect": [
"https://mattermost.atlassian.net/browse/MM-59034"
],
"discovery": "INTERNAL"
},
"title": "Incorrect Session Creation with Desktop SSO",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-10214",
"datePublished": "2024-10-28T14:12:37.346Z",
"dateReserved": "2024-10-21T15:43:29.795Z",
"dateUpdated": "2024-10-28T14:55:50.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36257
Vulnerability from cvelistv5
Published
2024-07-03 08:29
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
Lack of permission check when updating the profile picture of a remote user (shared channels enabled)
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.5.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.5",
"status": "affected",
"version": "9.5.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.8.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T13:14:03.579159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T13:37:07.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:03.658Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.8.0"
},
{
"lessThanOrEqual": "9.5.5",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.9.0"
},
{
"status": "unaffected",
"version": "9.8.1"
},
{
"status": "unaffected",
"version": "9.5.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.5 and 9.8.0,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewhen using shared channels with multiple remote servers connected,\u003c/span\u003e\u0026nbsp;fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\u0026nbsp;This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.5 and 9.8.0,\u00a0when using shared channels with multiple remote servers connected,\u00a0fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one .\u00a0This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T08:29:10.457Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.9.0, 9.8.1, 9.5.6 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.9.0, 9.8.1, 9.5.6 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00327",
"defect": [
"https://mattermost.atlassian.net/browse/MM-57859"
],
"discovery": "EXTERNAL"
},
"title": "Lack of permission check when updating the profile picture of a remote user (shared channels enabled)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-36257",
"datePublished": "2024-07-03T08:29:10.457Z",
"dateReserved": "2024-07-01T10:22:11.588Z",
"dateUpdated": "2024-08-02T03:37:03.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-27263
Vulnerability from cvelistv5
Published
2023-02-27 14:44
Modified
2024-08-02 12:09
Severity ?
EPSS score ?
Summary
IDOR: Accessing playbook runs via the Playbooks Runs API
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:43.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Playbooks"
],
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.5.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "foobar7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-27T14:44:52.790Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version 7.5.2, 7.4.1, 7.1.5, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version 7.5.2, 7.4.1, 7.1.5, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00135",
"defect": [
"https://mattermost.atlassian.net/browse/MM-47980"
],
"discovery": "EXTERNAL"
},
"title": "IDOR: Accessing playbook runs via the Playbooks Runs API",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-27263",
"datePublished": "2023-02-27T14:44:52.790Z",
"dateReserved": "2023-02-27T14:31:01.786Z",
"dateUpdated": "2024-08-02T12:09:43.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-27266
Vulnerability from cvelistv5
Published
2023-02-27 14:46
Modified
2024-08-02 12:09
Severity ?
EPSS score ?
Summary
Disclosure of team owner email address when when accessing the teams API
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:42.317Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "7.7.0",
"status": "affected",
"version": "5.12.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "foobar7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eMattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner\u0027s email address in the response.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner\u0027s email address in the response.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-27T14:46:28.880Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version 7.7.0 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version 7.7.0 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00132",
"defect": [
"https://mattermost.atlassian.net/browse/MM-47983"
],
"discovery": "EXTERNAL"
},
"title": "Disclosure of team owner email address when when accessing the teams API",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-27266",
"datePublished": "2023-02-27T14:46:28.880Z",
"dateReserved": "2023-02-27T14:31:01.786Z",
"dateUpdated": "2024-08-02T12:09:42.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1888
Vulnerability from cvelistv5
Published
2024-02-29 08:08
Modified
2024-08-01 18:56
Severity ?
EPSS score ?
Summary
Existing server guests invited to the team by members without "invite_guest" permission
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T16:46:21.843468Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:59:37.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5.0"
},
{
"status": "unaffected",
"version": "9.4.2"
},
{
"status": "unaffected",
"version": "9.3.1"
},
{
"status": "unaffected",
"version": "9.2.5"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Eva Sarafianou"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check the\u0026nbsp;\"invite_guest\" permission when inviting\u0026nbsp;guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server\u003c/p\u003e"
}
],
"value": "Mattermost fails to check the\u00a0\"invite_guest\" permission when inviting\u00a0guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T08:08:08.272Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5.0, 9.4.2, 9.3.1, 9.2.5, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5.0, 9.4.2, 9.3.1, 9.2.5, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00285",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55607"
],
"discovery": "INTERNAL"
},
"title": "Existing server guests invited to the team by members without \"invite_guest\" permission",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-1888",
"datePublished": "2024-02-29T08:08:08.272Z",
"dateReserved": "2024-02-26T09:37:53.013Z",
"dateUpdated": "2024-08-01T18:56:22.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5522
Vulnerability from cvelistv5
Published
2023-10-17 09:41
Modified
2024-09-05 19:58
Severity ?
EPSS score ?
Summary
Mobile app freezes when receiving a post with hundreds of emojis
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5522",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T19:57:57.382239Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T19:58:49.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "2.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.8.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "\u0160imon \u010cech\u00e1\u010dek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile fails to limit\u0026nbsp;the maximum number of Markdown elements in a post allowing an attacker to s\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eend a post with \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ehundreds of emojis to a channel and\u003c/span\u003e\u0026nbsp;freeze the mobile app of users when viewing that particular channel.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost Mobile fails to limit\u00a0the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and\u00a0freeze the mobile app of users when viewing that particular channel.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-17T09:41:14.833Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile to versions 2.8.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile to versions 2.8.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00226",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53106"
],
"discovery": "EXTERNAL"
},
"title": "Mobile app freezes when receiving a post with hundreds of emojis",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5522",
"datePublished": "2023-10-17T09:41:14.833Z",
"dateReserved": "2023-10-11T12:14:11.518Z",
"dateUpdated": "2024-09-05T19:58:49.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-29977
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-01 14:35
Severity ?
EPSS score ?
Summary
Malicious remote can create arbitrary reactions on arbitrary posts
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29977",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T14:34:53.471206Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:35:07.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6 fail to properly validate\u0026nbsp;synced reactions, when shared channels are enabled,\u0026nbsp;which allows a malicious remote to create arbitrary reactions on arbitrary posts\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6 fail to properly validate\u00a0synced reactions, when shared channels are enabled,\u00a0which allows a malicious remote to create arbitrary reactions on arbitrary posts"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:00.340Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00356",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58578"
],
"discovery": "INTERNAL"
},
"title": "Malicious remote can create arbitrary reactions on arbitrary posts",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-29977",
"datePublished": "2024-08-01T14:05:00.340Z",
"dateReserved": "2024-07-23T19:00:08.575Z",
"dateUpdated": "2024-08-01T14:35:07.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-24774
Vulnerability from cvelistv5
Published
2024-02-09 14:46
Modified
2024-08-21 15:26
Severity ?
EPSS score ?
Summary
Missing authorization allows users to access arbitrary security levels on Jira through webhooks (Jira Plugin)
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24774",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T15:25:20.905486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T15:26:06.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Michael Kochell"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in\u0026nbsp;registered users on Jira being able to create webhooks that give them access to all Jira issues.\u003c/p\u003e"
}
],
"value": "Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in\u00a0registered users on Jira being able to create webhooks that give them access to all Jira issues.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T14:46:58.777Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.8 or higher. Alternatively, update the Mattermost Jira Plugin to version\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e4.0.1 or higher.\u0026nbsp;\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.8 or higher. Alternatively, update the Mattermost Jira Plugin to version\u00a04.0.1 or higher.\u00a0\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00187",
"defect": [
"https://mattermost.atlassian.net/browse/MM-44212"
],
"discovery": "EXTERNAL"
},
"title": "Missing authorization allows users to access arbitrary security levels on Jira through webhooks (Jira Plugin)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-24774",
"datePublished": "2024-02-09T14:46:58.777Z",
"dateReserved": "2024-01-30T10:23:06.701Z",
"dateUpdated": "2024-08-21T15:26:06.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2000
Vulnerability from cvelistv5
Published
2023-05-02 08:57
Modified
2024-08-02 06:05
Severity ?
EPSS score ?
Summary
Unrestricted navigation due to unvalidated mattermost server redirection
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:05:27.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "5.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost Desktop App fails to validate a mattermost server redirection and navigates\u0026nbsp;to an arbitrary website\u003cbr\u003e"
}
],
"value": "Mattermost Desktop App fails to validate a mattermost server redirection and navigates\u00a0to an arbitrary website\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-02T08:57:39.331Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDesktop App\u0026nbsp;\u003c/span\u003eto version\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ev5.3 or\u0026nbsp;\u003c/span\u003ehigher.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Update Mattermost Desktop App\u00a0to version\u00a0v5.3 or\u00a0higher.\n\n\n"
}
],
"source": {
"defect": [
"https://mattermost.atlassian.net/browse/MM-50807"
],
"discovery": "INTERNAL"
},
"title": "Unrestricted navigation due to unvalidated mattermost server redirection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2000",
"datePublished": "2023-05-02T08:57:39.331Z",
"dateReserved": "2023-04-12T09:56:00.685Z",
"dateUpdated": "2024-08-02T06:05:27.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-9155
Vulnerability from cvelistv5
Published
2024-09-26 14:57
Modified
2024-09-26 15:17
Severity ?
EPSS score ?
Summary
Insufficient Authorization On Unlinked Channel Files
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T15:17:17.560859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T15:17:25.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.10.1",
"status": "affected",
"version": "9.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.9.2",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.8",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.10.2"
},
{
"status": "unaffected",
"version": "9.9.3"
},
{
"status": "unaffected",
"version": "9.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lorenzo Gallegos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.10.x \u0026lt;= 9.10.1, 9.9.x \u0026lt;= 9.9.2, 9.5.x \u0026lt;= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.10.x \u003c= 9.10.1, 9.9.x \u003c= 9.9.2, 9.5.x \u003c= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T14:57:43.987Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.10.2, 9.9.3, 9.5.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.10.2, 9.9.3, 9.5.9 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00362",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58774"
],
"discovery": "INTERNAL"
},
"title": "Insufficient Authorization On Unlinked Channel Files",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-9155",
"datePublished": "2024-09-26T14:57:43.987Z",
"dateReserved": "2024-09-24T15:39:50.114Z",
"dateUpdated": "2024-09-26T15:17:25.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39767
Vulnerability from cvelistv5
Published
2024-07-15 08:43
Modified
2024-08-02 04:26
Severity ?
EPSS score ?
Summary
Spoofed push notifications from malicious server
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39767",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T20:01:15.987749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T20:01:48.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.16.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.17.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server\u2019s diagnostic ID or server URL and have them show up in mobile apps as that server\u2019s push notifications.\u0026nbsp;\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server\u2019s diagnostic ID or server URL and have them show up in mobile apps as that server\u2019s push notifications."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T08:43:10.236Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.17.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.17.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00310",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56722"
],
"discovery": "INTERNAL"
},
"title": "Spoofed push notifications from malicious server",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39767",
"datePublished": "2024-07-15T08:43:10.236Z",
"dateReserved": "2024-07-11T14:48:59.897Z",
"dateUpdated": "2024-08-02T04:26:15.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39274
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-02 15:10
Severity ?
EPSS score ?
Summary
Malicious remote can add users to arbitrary teams and channels
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.1",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.10.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.9.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.5.7:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.5.7"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.7.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.7.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.8.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.8.2"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39274",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T14:46:09.694576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:58.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.1",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5 and 9.8.x \u0026lt;= 9.8.1 fail to properly validate that\u0026nbsp;the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5 and 9.8.x \u003c= 9.8.1 fail to properly validate that\u00a0the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:02.518Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00342",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58250"
],
"discovery": "INTERNAL"
},
"title": "Malicious remote can add users to arbitrary teams and channels",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39274",
"datePublished": "2024-08-01T14:05:02.518Z",
"dateReserved": "2024-07-23T18:35:14.790Z",
"dateUpdated": "2024-08-02T15:10:58.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2808
Vulnerability from cvelistv5
Published
2023-05-29 09:07
Modified
2024-08-02 06:33
Severity ?
EPSS score ?
Summary
Lack of URL normalization allows rendering previews for disallowed domains
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.597Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "7.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.1.9"
},
{
"status": "unaffected",
"version": "7.8.4"
},
{
"status": "unaffected",
"version": "7.9.3"
},
{
"status": "unaffected",
"version": "7.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "xpx"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eMattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link.\u003c/div\u003e"
}
],
"value": "Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-29T09:07:34.768Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.1.9, v7.8.4, v7.9.3, v7.10, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.1.9, v7.8.4, v7.9.3, v7.10, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00159",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51442"
],
"discovery": "EXTERNAL"
},
"title": "Lack of URL normalization allows rendering previews for disallowed domains",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2808",
"datePublished": "2023-05-29T09:07:34.768Z",
"dateReserved": "2023-05-19T09:34:03.996Z",
"dateUpdated": "2024-08-02T06:33:05.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5968
Vulnerability from cvelistv5
Published
2023-11-06 15:35
Modified
2024-09-12 19:26
Severity ?
EPSS score ?
Summary
Password hash in response body after username update
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:14:25.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:24:21.546464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T19:26:46.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.12"
},
{
"status": "unaffected",
"version": "8.0.4"
},
{
"status": "unaffected",
"version": "8.1.3"
},
{
"status": "unaffected",
"version": "9.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-06T15:35:14.094Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e7.8.12,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e8.0.4,\u0026nbsp;\u003c/span\u003e\u003c/span\u003e8.1.3, 9.0.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions\u00a07.8.12,\u00a08.0.4,\u00a08.1.3, 9.0.1 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00242",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54225"
],
"discovery": "INTERNAL"
},
"title": "Password hash in response body after username update",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5968",
"datePublished": "2023-11-06T15:35:14.094Z",
"dateReserved": "2023-11-06T15:28:44.101Z",
"dateUpdated": "2024-09-12T19:26:46.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-4478
Vulnerability from cvelistv5
Published
2023-08-25 09:06
Modified
2024-09-30 18:17
Severity ?
EPSS score ?
Summary
Parameter tampering in the registration resulting in blocked accounts to be created
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:05.857Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T18:17:18.324617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T18:17:59.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.9"
},
{
"status": "unaffected",
"version": "7.10.5"
},
{
"status": "unaffected",
"version": "8.0.1 "
},
{
"status": "affected",
"version": "8.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "0AQD (0aqd)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to restrict which parameters\u0027 values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.\u003c/p\u003e"
}
],
"value": "Mattermost fails to restrict which parameters\u0027 values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-25T09:06:06.310Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.9, 7.10.5, 8.0.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.9, 7.10.5, 8.0.1 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00225",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53426"
],
"discovery": "EXTERNAL"
},
"title": "Parameter tampering in the registration resulting in blocked accounts to be created",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-4478",
"datePublished": "2023-08-25T09:06:06.310Z",
"dateReserved": "2023-08-22T11:45:27.863Z",
"dateUpdated": "2024-09-30T18:17:59.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47865
Vulnerability from cvelistv5
Published
2023-11-27 09:05
Modified
2024-08-02 21:16
Severity ?
EPSS score ?
Summary
Username and Icon override can be used by members when Hardened Mode is enabled
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:43.979Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.13"
},
{
"status": "unaffected",
"version": "8.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Eva Sarafianou"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a post even if the Hardened Mode setting was enabled\u003c/p\u003e"
}
],
"value": "Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a post even if the Hardened Mode setting was enabled\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T09:05:19.917Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.13, 8.1.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.13, 8.1.4 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00198",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52791"
],
"discovery": "INTERNAL"
},
"title": "Username and Icon override can be used by members when Hardened Mode is enabled",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-47865",
"datePublished": "2023-11-27T09:05:19.917Z",
"dateReserved": "2023-11-22T11:37:35.979Z",
"dateUpdated": "2024-08-02T21:16:43.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1777
Vulnerability from cvelistv5
Published
2023-03-31 11:35
Modified
2024-08-02 05:57
Severity ?
EPSS score ?
Summary
Information disclosure in linked message previews
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:25.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.7.1",
"status": "affected",
"version": "6.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.5",
"status": "affected",
"version": "6.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.0",
"status": "affected",
"version": "6.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.1"
},
{
"status": "unaffected",
"version": "7.7.2"
},
{
"status": "unaffected",
"version": "7.1.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eMattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.\u003c/div\u003e"
}
],
"value": "Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-31T11:35:22.813Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00141",
"defect": [
"https://mattermost.atlassian.net/browse/MM-50505"
],
"discovery": "INTERNAL"
},
"title": "Information disclosure in linked message previews",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1777",
"datePublished": "2023-03-31T11:35:22.813Z",
"dateReserved": "2023-03-31T11:34:59.009Z",
"dateUpdated": "2024-08-02T05:57:25.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39772
Vulnerability from cvelistv5
Published
2024-09-16 14:27
Modified
2024-09-16 14:42
Severity ?
EPSS score ?
Summary
Silent Desktop Screenshot Capture
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39772",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T14:41:24.377042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T14:42:19.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "5.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.9.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Doyensec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Desktop App versions \u0026lt;=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.\u003c/p\u003e"
}
],
"value": "Mattermost Desktop App versions \u003c=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T14:27:47.103Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Desktop App to versions 5.9.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Desktop App to versions 5.9.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00372",
"defect": [
"https://mattermost.atlassian.net/browse/MM-59043"
],
"discovery": "EXTERNAL"
},
"title": "Silent Desktop Screenshot Capture",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39772",
"datePublished": "2024-09-16T14:27:47.103Z",
"dateReserved": "2024-09-11T15:59:49.540Z",
"dateUpdated": "2024-09-16T14:42:19.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6202
Vulnerability from cvelistv5
Published
2023-11-27 09:12
Modified
2024-10-11 17:58
Severity ?
EPSS score ?
Summary
Insecure Direct Object Reference in /plugins/focalboard/ api/v2/users of Mattermost Boards
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.904Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T17:51:36.345798Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T17:58:15.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.0.2"
},
{
"status": "unaffected",
"version": "9.1.1"
},
{
"status": "unaffected",
"version": "7.8.13"
},
{
"status": "unaffected",
"version": "8.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows t\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ehe ID of another user\u0026nbsp;\u003c/span\u003eto get their information (e.g. name, surname, nickname) via Mattermost Boards.\u003c/p\u003e"
}
],
"value": "Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user\u00a0to get their information (e.g. name, surname, nickname) via Mattermost Boards.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T09:12:04.786Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.0.2, 9.1.1, 7.8.13, 8.1.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.0.2, 9.1.1, 7.8.13, 8.1.4 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00254",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54365"
],
"discovery": "EXTERNAL"
},
"title": "Insecure Direct Object Reference in /plugins/focalboard/ api/v2/users of Mattermost Boards",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-6202",
"datePublished": "2023-11-27T09:12:04.786Z",
"dateReserved": "2023-11-20T12:24:12.551Z",
"dateUpdated": "2024-10-11T17:58:15.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39810
Vulnerability from cvelistv5
Published
2024-08-22 06:30
Modified
2024-08-22 12:58
Severity ?
EPSS score ?
Summary
Server crash via Elasticsearch certificate file
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T12:58:02.840154Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T12:58:12.173Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.7 and 9.10.x \u0026lt;= 9.10.0 fail to time limit and size limit the CA path file in the ElasticSearch configuration which allows a System Role with access to the Elasticsearch system console to add any file as a CA path field, such as /dev/zero and, after testing the connection, cause the application to crash.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.7 and 9.10.x \u003c= 9.10.0 fail to time limit and size limit the CA path file in the ElasticSearch configuration which allows a System Role with access to the Elasticsearch system console to add any file as a CA path field, such as /dev/zero and, after testing the connection, cause the application to crash."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T06:30:11.602Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00359",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58788"
],
"discovery": "EXTERNAL"
},
"title": "Server crash via Elasticsearch certificate file",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39810",
"datePublished": "2024-08-22T06:30:11.602Z",
"dateReserved": "2024-08-20T16:09:35.897Z",
"dateUpdated": "2024-08-22T12:58:12.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3591
Vulnerability from cvelistv5
Published
2023-07-17 15:30
Modified
2024-10-21 19:39
Severity ?
EPSS score ?
Summary
Lack of previous password reset tokens on new token creation
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.858Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:38:35.067985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:39:25.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.10.3 "
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "SUBHASIS DATTA (claverrat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to invalidate previously generated password reset tokens when a new reset token was created.\u003c/p\u003e"
}
],
"value": "Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:30:05.295Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions\u0026nbsp;v7.8.7,\u0026nbsp;v7.9.5,\u0026nbsp;v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions\u00a0v7.8.7,\u00a0v7.9.5,\u00a0v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00178",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52140"
],
"discovery": "EXTERNAL"
},
"title": "Lack of previous password reset tokens on new token creation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3591",
"datePublished": "2023-07-17T15:30:05.295Z",
"dateReserved": "2023-07-10T15:08:38.159Z",
"dateUpdated": "2024-10-21T19:39:25.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-31859
Vulnerability from cvelistv5
Published
2024-05-26 13:31
Modified
2024-08-02 01:59
Severity ?
EPSS score ?
Summary
Member promoted to channel admin via playbooks run linking to channel
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31859",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T15:36:06.448049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:37:03.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.7.0"
},
{
"status": "unaffected",
"version": "9.5.4"
},
{
"status": "unaffected",
"version": "9.6.2"
},
{
"status": "unaffected",
"version": "8.1.13"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.3, 9.6.x \u0026lt;= 9.6.1 and 8.1.x \u0026lt;= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.3, 9.6.x \u003c= 9.6.1 and 8.1.x \u003c= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-26T13:31:42.704Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.7.0, 9.5.4, 9.6.2, 8.1.13 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.7.0, 9.5.4, 9.6.2, 8.1.13 or higher."
}
],
"source": {
"advisory": "MMSA-2023-00293",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56040"
],
"discovery": "EXTERNAL"
},
"title": "Member promoted to channel admin via playbooks run linking to channel",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-31859",
"datePublished": "2024-05-26T13:31:42.704Z",
"dateReserved": "2024-05-23T10:57:59.888Z",
"dateUpdated": "2024-08-02T01:59:49.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3147
Vulnerability from cvelistv5
Published
2022-09-09 14:39
Modified
2024-08-03 01:00
Severity ?
EPSS score ?
Summary
Server-side Denial of Service while processing a specifically crafted JPEG file
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC | |
| https://hackerone.com/reports/1549513 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1549513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.0.x",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Philippe Antoine (catenacyber) for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T14:39:51",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1549513"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v7.1 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00113",
"defect": [
"https://mattermost.atlassian.net/browse/MM-43729"
],
"discovery": "EXTERNAL"
},
"title": "Server-side Denial of Service while processing a specifically crafted JPEG file",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-3147",
"STATE": "PUBLIC",
"TITLE": "Server-side Denial of Service while processing a specifically crafted JPEG file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "7.0.x"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Philippe Antoine (catenacyber) for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
},
{
"name": "https://hackerone.com/reports/1549513",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1549513"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v7.1 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00113",
"defect": [
"https://mattermost.atlassian.net/browse/MM-43729"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-3147",
"datePublished": "2022-09-09T14:39:51",
"dateReserved": "2022-09-07T00:00:00",
"dateUpdated": "2024-08-03T01:00:10.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39832
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-07 14:09
Severity ?
EPSS score ?
Summary
Permanently local data deletion by malicious remote
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39832",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T14:09:09.906811Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T14:09:31.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.1",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:04.850Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00329",
"defect": [
"https://mattermost.atlassian.net/browse/MM-57866"
],
"discovery": "INTERNAL"
},
"title": "Permanently local data deletion by malicious remote",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39832",
"datePublished": "2024-08-01T14:05:04.850Z",
"dateReserved": "2024-07-23T17:55:45.288Z",
"dateUpdated": "2024-08-07T14:09:31.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-46872
Vulnerability from cvelistv5
Published
2024-10-29 08:12
Modified
2024-10-29 12:51
Severity ?
EPSS score ?
Summary
Client-Side Path Traversal Leading to CSRF in Playbooks
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T12:51:01.235547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T12:51:14.111Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.10.2",
"status": "affected",
"version": "9.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.11.1",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.9",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "9.10.3"
},
{
"status": "unaffected",
"version": "9.11.2"
},
{
"status": "unaffected",
"version": "9.5.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.10.x \u0026lt;= 9.10.2, 9.11.x \u0026lt;= 9.11.1, 9.5.x \u0026lt;= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.10.x \u003c= 9.10.2, 9.11.x \u003c= 9.11.1, 9.5.x \u003c= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T08:12:12.736Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.10.3, 9.11.2, 9.5.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.0.0, 9.10.3, 9.11.2, 9.5.10 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00366",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58842"
],
"discovery": "EXTERNAL"
},
"title": "Client-Side Path Traversal Leading to CSRF in Playbooks",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-46872",
"datePublished": "2024-10-29T08:12:12.736Z",
"dateReserved": "2024-10-21T16:12:47.134Z",
"dateUpdated": "2024-10-29T12:51:14.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-43780
Vulnerability from cvelistv5
Published
2024-08-22 15:17
Modified
2024-08-22 16:06
Severity ?
EPSS score ?
Summary
Unauthorized channel file upload
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T16:06:12.738586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T16:06:25.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.9.2"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
},
{
"status": "unaffected",
"version": "9.8.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.0, 9.8.x \u0026lt;= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.0, 9.8.x \u003c= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T15:17:11.947Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00357",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58524"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized channel file upload",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-43780",
"datePublished": "2024-08-22T15:17:11.947Z",
"dateReserved": "2024-08-16T17:27:00.321Z",
"dateUpdated": "2024-08-22T16:06:25.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-37863
Vulnerability from cvelistv5
Published
2021-12-17 16:10
Modified
2024-08-04 01:30
Severity ?
EPSS score ?
Summary
Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC | |
| https://hackerone.com/reports/1253732 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:30:08.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1253732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost ",
"vendor": "Mattermost ",
"versions": [
{
"lessThanOrEqual": "6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-17T16:10:30",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1253732"
}
],
"source": {
"advisory": "MMSA-2021-0075",
"defect": [
"https://mattermost.atlassian.net/browse/MM-36892"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2021-37863",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.0"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
},
{
"name": "https://hackerone.com/reports/1253732",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1253732"
}
]
},
"source": {
"advisory": "MMSA-2021-0075",
"defect": [
"https://mattermost.atlassian.net/browse/MM-36892"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2021-37863",
"datePublished": "2021-12-17T16:10:30",
"dateReserved": "2021-08-02T00:00:00",
"dateUpdated": "2024-08-04T01:30:08.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-37862
Vulnerability from cvelistv5
Published
2021-12-17 16:10
Modified
2024-08-04 01:30
Severity ?
EPSS score ?
Summary
Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC | |
| https://hackerone.com/reports/1357013 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:30:09.135Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1357013"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost ",
"vendor": "Mattermost ",
"versions": [
{
"lessThanOrEqual": "6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-17T16:10:29",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1357013"
}
],
"source": {
"advisory": "MMSA-2021-0074",
"defect": [
"https://mattermost.atlassian.net/browse/MM-39205"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2021-37862",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.0"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
},
{
"name": "https://hackerone.com/reports/1357013",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1357013"
}
]
},
"source": {
"advisory": "MMSA-2021-0074",
"defect": [
"https://mattermost.atlassian.net/browse/MM-39205"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2021-37862",
"datePublished": "2021-12-17T16:10:29",
"dateReserved": "2021-08-02T00:00:00",
"dateUpdated": "2024-08-04T01:30:09.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-27264
Vulnerability from cvelistv5
Published
2023-02-27 14:46
Modified
2024-08-02 12:09
Severity ?
EPSS score ?
Summary
IDOR: Updating a playbook via the Playbooks API
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:41.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Playbooks"
],
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.5.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "foobar7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the \u003ccode\u003e/plugins/playbooks/api/v0/playbooks/[playbookID] API.\u003c/code\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-27T14:46:16.310Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version 7.5.2, 7.4.1, 7.1.5, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version 7.5.2, 7.4.1, 7.1.5, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00134",
"defect": [
"https://mattermost.atlassian.net/browse/MM-47981"
],
"discovery": "EXTERNAL"
},
"title": "IDOR: Updating a playbook via the Playbooks API",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-27264",
"datePublished": "2023-02-27T14:46:16.310Z",
"dateReserved": "2023-02-27T14:31:01.786Z",
"dateUpdated": "2024-08-02T12:09:41.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-8071
Vulnerability from cvelistv5
Published
2024-08-22 06:39
Modified
2024-08-22 13:33
Severity ?
EPSS score ?
Summary
System Role with edit access to permissions can elevate themselves to system admin
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8071",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T13:16:11.392151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T13:33:55.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.9.2"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
},
{
"status": "unaffected",
"version": "9.8.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0 and 9.8.x \u0026lt;= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission, effectively becoming a System Admin.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0 and 9.8.x \u003c= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission, effectively becoming a System Admin."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T06:39:54.830Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00374",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58770"
],
"discovery": "EXTERNAL"
},
"title": "System Role with edit access to permissions can elevate themselves to system admin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-8071",
"datePublished": "2024-08-22T06:39:54.830Z",
"dateReserved": "2024-08-22T06:35:49.726Z",
"dateUpdated": "2024-08-22T13:33:55.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47168
Vulnerability from cvelistv5
Published
2023-11-27 09:12
Modified
2024-08-02 21:01
Severity ?
EPSS score ?
Summary
Open redirect in /oauth/<service>/mobile_login?redirect_to=
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.877Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.0.2"
},
{
"status": "unaffected",
"version": "9.1.1"
},
{
"status": "unaffected",
"version": "7.8.13"
},
{
"status": "unaffected",
"version": "8.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly check a redirect URL parameter allowing for an\u0026nbsp;open redirect was possible when the user clicked \"Back to Mattermost\" after providing a invalid custom url scheme in /oauth/{service}/mobile_login?redirect_to=\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly check a redirect URL parameter allowing for an\u00a0open redirect was possible when the user clicked \"Back to Mattermost\" after providing a invalid custom url scheme in /oauth/{service}/mobile_login?redirect_to=\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T09:12:52.781Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.0.2, 9.1.1, 7.8.13, 8.1.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.0.2, 9.1.1, 7.8.13, 8.1.4 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00252",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54488"
],
"discovery": "EXTERNAL"
},
"title": "Open redirect in /oauth/\u003cservice\u003e/mobile_login?redirect_to=",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-47168",
"datePublished": "2023-11-27T09:12:52.781Z",
"dateReserved": "2023-11-20T12:06:31.671Z",
"dateUpdated": "2024-08-02T21:01:22.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-47003
Vulnerability from cvelistv5
Published
2024-09-26 08:05
Modified
2024-09-26 13:11
Severity ?
EPSS score ?
Summary
DoS via non-string message using permalink embed
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T13:10:27.555291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T13:11:00.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.11.0"
},
{
"lessThanOrEqual": "9.5.8",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "9.11.1"
},
{
"status": "unaffected",
"version": "9.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c0rydoras (c0rydoras)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.11.x \u0026lt;= 9.11.0 and 9.5.x \u0026lt;= 9.5.8 fail to validate that the message of the permalink post is a string,\u0026nbsp;which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.11.x \u003c= 9.11.0 and 9.5.x \u003c= 9.5.8 fail to validate that the message of the permalink post is a string,\u00a0which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T08:05:16.392Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.11.1, 9.5.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.0.0, 9.11.1, 9.5.9 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00373",
"defect": [
"https://mattermost.atlassian.net/browse/MM-59077"
],
"discovery": "EXTERNAL"
},
"title": "DoS via non-string message using permalink embed",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-47003",
"datePublished": "2024-09-26T08:05:16.392Z",
"dateReserved": "2024-09-23T07:55:36.376Z",
"dateUpdated": "2024-09-26T13:11:00.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-32045
Vulnerability from cvelistv5
Published
2024-05-26 13:29
Modified
2024-08-02 02:06
Severity ?
EPSS score ?
Summary
Playbook run link to private channel grants channel access
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32045",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T19:55:05.511179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T19:55:13.240Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:06:42.837Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.7.0"
},
{
"status": "unaffected",
"version": "9.5.4"
},
{
"status": "unaffected",
"version": "9.6.2"
},
{
"status": "unaffected",
"version": "8.1.13"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.3, 9.6.x \u0026lt;= 9.6.1, 8.1.x \u0026lt;= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel\u0026nbsp;which allows members to link their runs to private channels they were not members of.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.3, 9.6.x \u003c= 9.6.1, 8.1.x \u003c= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel\u00a0which allows members to link their runs to private channels they were not members of."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-26T13:29:07.516Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.7.0, 9.5.4, 9.6.2, 8.1.13 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.7.0, 9.5.4, 9.6.2, 8.1.13 or higher."
}
],
"source": {
"advisory": "MMSA-2023-00294",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56157"
],
"discovery": "EXTERNAL"
},
"title": "Playbook run link to private channel grants channel access",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-32045",
"datePublished": "2024-05-26T13:29:07.516Z",
"dateReserved": "2024-05-23T10:57:59.892Z",
"dateUpdated": "2024-08-02T02:06:42.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45316
Vulnerability from cvelistv5
Published
2023-12-12 08:23
Modified
2024-08-02 20:21
Severity ?
EPSS score ?
Summary
Reflected client side path traversal leading to CSRF in Playbooks
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:21:15.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.14",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.0.4"
},
{
"status": "unaffected",
"version": "9.1.3"
},
{
"status": "unaffected",
"version": "9.2.2"
},
{
"status": "unaffected",
"version": "7.8.15"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/\u0026lt;telem_run_id\u0026gt; as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a\u0026nbsp;CSRF attack.\u003c/p\u003e"
}
],
"value": "Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/\u003ctelem_run_id\u003e as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a\u00a0CSRF attack.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:23:17.299Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e7.8.15,\u0026nbsp;\u003c/span\u003e8.1.6, 9.0.4, 9.1.3, 9.2.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.15,\u00a08.1.6, 9.0.4, 9.1.3, 9.2.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00245",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54363"
],
"discovery": "EXTERNAL"
},
"title": "Reflected client side path traversal leading to CSRF in Playbooks",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-45316",
"datePublished": "2023-12-12T08:23:17.299Z",
"dateReserved": "2023-12-05T08:22:34.306Z",
"dateUpdated": "2024-08-02T20:21:15.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3587
Vulnerability from cvelistv5
Published
2023-07-17 15:26
Modified
2024-10-22 13:40
Severity ?
EPSS score ?
Summary
Inconsistent state in UI after boards permission change by system admin
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.922Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3587",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:32:46.413613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:40:42.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.10.3 "
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Pallinger (danipalli)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:26:51.996Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions\u0026nbsp;7.8.7,\u0026nbsp;7.9.5,\u0026nbsp;7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions\u00a07.8.7,\u00a07.9.5,\u00a07.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00175",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52370"
],
"discovery": "EXTERNAL"
},
"title": "Inconsistent state in UI after boards permission change by system admin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3587",
"datePublished": "2023-07-17T15:26:51.996Z",
"dateReserved": "2023-07-10T14:01:18.080Z",
"dateUpdated": "2024-10-22T13:40:42.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5967
Vulnerability from cvelistv5
Published
2023-11-06 15:24
Modified
2024-09-12 19:30
Severity ?
EPSS score ?
Summary
Denial of Service via crashing the Calls Plugin
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:14:25.127Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:35:03.670044Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T19:30:12.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.3"
},
{
"status": "unaffected",
"version": "8.0.4"
},
{
"status": "unaffected",
"version": "7.8.12"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-06T15:24:24.544Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u0026nbsp;Update Mattermost Server to versions\u0026nbsp;7.8.12,\u0026nbsp;8.0.4,\u0026nbsp;8.1.3\u0026nbsp;or higher. Alternatively, upgrade the Calls plugin to\u0026nbsp;0.17.1 or higher.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "\u00a0Update Mattermost Server to versions\u00a07.8.12,\u00a08.0.4,\u00a08.1.3\u00a0or higher. Alternatively, upgrade the Calls plugin to\u00a00.17.1 or higher.\u00a0\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00246",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54361"
],
"discovery": "EXTERNAL"
},
"title": "Denial of Service via crashing the Calls Plugin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5967",
"datePublished": "2023-11-06T15:24:24.544Z",
"dateReserved": "2023-11-06T15:14:58.458Z",
"dateUpdated": "2024-09-12T19:30:12.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0903
Vulnerability from cvelistv5
Published
2022-03-09 15:17
Modified
2024-08-02 23:47
Severity ?
EPSS score ?
Summary
Stack overflow in SAML login in Mattermost
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.124Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "6.3.3",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"lessThan": "6.2.3",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"lessThan": "6.1.3",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"lessThan": "5.37.8",
"status": "affected",
"version": "5.37",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Call stack overflow / goroutine stack overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-09T15:17:27",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update the Mattermost version to v6.3.3, 6.2.3, 6.1.3, or 5.37.8, depending on the minor version being run"
}
],
"source": {
"advisory": "MMSA-2022-0087",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41263"
],
"discovery": "UNKNOWN"
},
"title": "Stack overflow in SAML login in Mattermost",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-0903",
"STATE": "PUBLIC",
"TITLE": "Stack overflow in SAML login in Mattermost"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.3",
"version_value": "6.3.3"
},
{
"version_affected": "\u003c",
"version_name": "6.2",
"version_value": "6.2.3"
},
{
"version_affected": "\u003c",
"version_name": "6.1",
"version_value": "6.1.3"
},
{
"version_affected": "\u003c",
"version_name": "5.37",
"version_value": "5.37.8"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Call stack overflow / goroutine stack overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update the Mattermost version to v6.3.3, 6.2.3, 6.1.3, or 5.37.8, depending on the minor version being run"
}
],
"source": {
"advisory": "MMSA-2022-0087",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41263"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-0903",
"datePublished": "2022-03-09T15:17:27",
"dateReserved": "2022-03-09T00:00:00",
"dateUpdated": "2024-08-02T23:47:42.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36250
Vulnerability from cvelistv5
Published
2024-11-09 17:18
Modified
2024-11-12 14:52
Severity ?
EPSS score ?
Summary
MFA Code Replay
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:52:26.242892Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:52:39.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.11.2",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.10",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.1.0"
},
{
"status": "unaffected",
"version": "9.11.3"
},
{
"status": "unaffected",
"version": "9.5.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.11.x \u0026lt;= 9.11.2, and 9.5.x \u0026lt;= 9.5.10 fail to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eprotect the mfa code against replay attacks\u003c/span\u003e, which allows an attacker to reuse the MFA code within\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;~30 seconds \u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.11.x \u003c= 9.11.2, and 9.5.x \u003c= 9.5.10 fail to\u00a0protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within\u00a0~30 seconds"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-09T17:18:34.703Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.1.0, 9.11.3, 9.5.11 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.1.0, 9.11.3, 9.5.11 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00370",
"defect": [
"https://mattermost.atlassian.net/browse/MM-59068"
],
"discovery": "EXTERNAL"
},
"title": "MFA Code Replay",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-36250",
"datePublished": "2024-11-09T17:18:34.703Z",
"dateReserved": "2024-11-05T09:14:34.842Z",
"dateUpdated": "2024-11-12T14:52:39.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39837
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-01 20:47
Severity ?
EPSS score ?
Summary
Malicious remote can create arbitrary channels
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T20:47:43.584199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:51.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6 fail to properly restrict channel creation\u0026nbsp;which allows\u0026nbsp;a malicious remote to create arbitrary channels,\u0026nbsp;when shared channels were enabled.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6 fail to properly restrict channel creation\u00a0which allows\u00a0a malicious remote to create arbitrary channels,\u00a0when shared channels were enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:06.182Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00332",
"defect": [
"https://mattermost.atlassian.net/browse/MM-57872"
],
"discovery": "INTERNAL"
},
"title": "Malicious remote can create arbitrary channels",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39837",
"datePublished": "2024-08-01T14:05:06.182Z",
"dateReserved": "2024-07-23T17:55:45.342Z",
"dateUpdated": "2024-08-01T20:47:51.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6459
Vulnerability from cvelistv5
Published
2023-12-06 08:11
Modified
2024-08-02 08:28
Severity ?
EPSS score ?
Summary
Public endpoint /metrics of Calls plugin reveals channel IDs
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:21.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.5"
},
{
"status": "unaffected",
"version": "7.8.14"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost is grouping calls in\u0026nbsp;the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.\u003c/p\u003e"
}
],
"value": "Mattermost is grouping calls in\u00a0the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-06T08:11:36.417Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.5, 7.8.14 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.5, 7.8.14 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00250",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54444"
],
"discovery": "EXTERNAL"
},
"title": "Public endpoint /metrics of Calls plugin reveals channel IDs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-6459",
"datePublished": "2023-12-06T08:11:36.417Z",
"dateReserved": "2023-12-01T10:14:04.973Z",
"dateUpdated": "2024-08-02T08:28:21.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1003
Vulnerability from cvelistv5
Published
2022-03-18 18:00
Modified
2024-08-02 23:47
Severity ?
EPSS score ?
Summary
Sysadmin can override existing configs & bypass restrictions like EnableUploads
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:43.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost ",
"versions": [
{
"lessThanOrEqual": "6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-268",
"description": "CWE-268 Privilege Chaining",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-18T18:00:21",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v6.4 or higher"
}
],
"source": {
"advisory": " MMSA-2022-0084",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41184"
],
"discovery": "INTERNAL"
},
"title": "Sysadmin can override existing configs \u0026 bypass restrictions like EnableUploads",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-1003",
"STATE": "PUBLIC",
"TITLE": "Sysadmin can override existing configs \u0026 bypass restrictions like EnableUploads"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.3"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-268 Privilege Chaining"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v6.4 or higher"
}
],
"source": {
"advisory": " MMSA-2022-0084",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41184"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-1003",
"datePublished": "2022-03-18T18:00:21",
"dateReserved": "2022-03-17T00:00:00",
"dateUpdated": "2024-08-02T23:47:43.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-4107
Vulnerability from cvelistv5
Published
2023-08-11 06:12
Modified
2024-10-11 16:52
Severity ?
EPSS score ?
Summary
Incorrect authorization allows a user manager to update a system admin
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:12.064Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThan": "7.8.8",
"status": "affected",
"version": "7.8.0",
"versionType": "custom"
},
{
"lessThan": "7.9.6",
"status": "affected",
"version": "7.9.0",
"versionType": "custom"
},
{
"lessThan": "7.10.4",
"status": "affected",
"version": "7.10.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4107",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T16:50:49.740745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T16:52:17.516Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.8"
},
{
"status": "unaffected",
"version": "7.9.6"
},
{
"status": "unaffected",
"version": "7.10.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Pyae Phyo (pyae_phyo)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin\u0027s details such as email, first name and last name.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin\u0027s details such as email, first name and last name.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-11T06:12:21.977Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.8, 7.9.6,\u0026nbsp;7.10.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.8, 7.9.6,\u00a07.10.4 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00207",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53091"
],
"discovery": "EXTERNAL"
},
"title": "Incorrect authorization allows a user manager to update a system admin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-4107",
"datePublished": "2023-08-11T06:12:21.977Z",
"dateReserved": "2023-08-02T15:27:32.294Z",
"dateUpdated": "2024-10-11T16:52:17.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-43754
Vulnerability from cvelistv5
Published
2023-11-27 09:11
Modified
2024-08-02 19:52
Severity ?
EPSS score ?
Summary
Permalink previews displayed for posts in archived channels even if users are disallowed to view archived channels
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:11.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.0.2"
},
{
"status": "unaffected",
"version": "9.1.1"
},
{
"status": "unaffected",
"version": "7.8.13"
},
{
"status": "unaffected",
"version": "8.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Harrison Healey"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check whether the\u0026nbsp; \u201cAllow users to view archived channels\u201d\u0026nbsp; setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the\u0026nbsp;\u201cAllow users to view archived channels\u201d setting is disabled.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to check whether the\u00a0 \u201cAllow users to view archived channels\u201d\u00a0 setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the\u00a0\u201cAllow users to view archived channels\u201d setting is disabled.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T09:11:13.283Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.0.2, 9.1.1, 7.8.13, 8.1.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.0.2, 9.1.1, 7.8.13, 8.1.4 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00241",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54221"
],
"discovery": "INTERNAL"
},
"title": "Permalink previews displayed for posts in archived channels even if users are disallowed to view archived channels",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-43754",
"datePublished": "2023-11-27T09:11:13.283Z",
"dateReserved": "2023-11-22T11:37:35.971Z",
"dateUpdated": "2024-08-02T19:52:11.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-7113
Vulnerability from cvelistv5
Published
2023-12-29 12:46
Modified
2024-08-02 08:50
Severity ?
EPSS score ?
Summary
Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.7"
},
{
"status": "unaffected",
"version": "9.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.\u003c/p\u003e"
}
],
"value": "Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T12:46:13.932Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.7, 9.2.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.7, 9.2.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00266",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53187"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-7113",
"datePublished": "2023-12-29T12:46:13.932Z",
"dateReserved": "2023-12-26T10:19:31.976Z",
"dateUpdated": "2024-08-02T08:50:08.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2401
Vulnerability from cvelistv5
Published
2022-07-14 17:20
Modified
2024-08-03 00:39
Severity ?
EPSS score ?
Summary
Team members could access sensitive information of other users via an API call
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "6.7.x 6.7.0"
},
{
"lessThanOrEqual": "6.3.8",
"status": "affected",
"version": "6.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "6.5.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.6.1",
"status": "affected",
"version": "6.6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T17:20:49",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00108",
"defect": [
"https://mattermost.atlassian.net/browse/MM-44568"
],
"discovery": "INTERNAL"
},
"title": "Team members could access sensitive information of other users via an API call",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-2401",
"STATE": "PUBLIC",
"TITLE": "Team members could access sensitive information of other users via an API call"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "6.x",
"version_value": "6.3.8"
},
{
"version_affected": "\u003c=",
"version_name": "6.5.x",
"version_value": "6.5.1"
},
{
"version_affected": "\u003c=",
"version_name": "6.6.x",
"version_value": "6.6.1"
},
{
"version_affected": "=",
"version_name": "6.7.x",
"version_value": "6.7.0"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00108",
"defect": [
"https://mattermost.atlassian.net/browse/MM-44568"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-2401",
"datePublished": "2022-07-14T17:20:49",
"dateReserved": "2022-07-14T00:00:00",
"dateUpdated": "2024-08-03T00:39:07.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1384
Vulnerability from cvelistv5
Published
2022-04-19 20:26
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Authorized users are allowed to install old plugin versions from the Marketplace
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "6.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-477",
"description": "CWE-477 Use of Obsolete Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T20:26:28",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v6.5 or higher"
}
],
"source": {
"advisory": "MMSA-2022-0095",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41885"
],
"discovery": "INTERNAL"
},
"title": "Authorized users are allowed to install old plugin versions from the Marketplace",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-1384",
"STATE": "PUBLIC",
"TITLE": "Authorized users are allowed to install old plugin versions from the Marketplace"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.4"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-477 Use of Obsolete Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v6.5 or higher"
}
],
"source": {
"advisory": "MMSA-2022-0095",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41885"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-1384",
"datePublished": "2022-04-19T20:26:28",
"dateReserved": "2022-04-18T00:00:00",
"dateUpdated": "2024-08-03T00:03:06.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39836
Vulnerability from cvelistv5
Published
2024-08-22 06:27
Modified
2024-08-22 16:39
Severity ?
EPSS score ?
Summary
Munged email address used for password resets and notifications
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39836",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T16:39:11.770507Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T16:39:21.881Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.9.2"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
},
{
"status": "unaffected",
"version": "9.8.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0 and 9.8.x \u0026lt;= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003ethe munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;they are valid, functional emails.\u003c/span\u003e\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0 and 9.8.x \u003c= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows\u00a0the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when\u00a0they are valid, functional emails."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T06:27:09.829Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00339",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58244"
],
"discovery": "INTERNAL"
},
"title": "Munged email address used for password resets and notifications",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39836",
"datePublished": "2024-08-22T06:27:09.829Z",
"dateReserved": "2024-08-20T16:09:35.902Z",
"dateUpdated": "2024-08-22T16:39:21.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5195
Vulnerability from cvelistv5
Published
2023-09-29 09:25
Modified
2024-09-05 20:00
Severity ?
EPSS score ?
Summary
A team member can soft delete other teams that they are not part of
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:07.770Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5195",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T20:00:13.731759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T20:00:33.078Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.10"
},
{
"status": "unaffected",
"version": "8.0.2"
},
{
"status": "unaffected",
"version": "8.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jesse Hallam"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-29T09:25:58.963Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions\u0026nbsp;7.8.10,\u0026nbsp;8.0.2,\u0026nbsp;8.1.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions\u00a07.8.10,\u00a08.0.2,\u00a08.1.1 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00230",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53701"
],
"discovery": "INTERNAL"
},
"title": "A team member can soft delete other teams that they are not part of",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5195",
"datePublished": "2023-09-29T09:25:58.963Z",
"dateReserved": "2023-09-26T09:27:01.462Z",
"dateUpdated": "2024-09-05T20:00:33.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2193
Vulnerability from cvelistv5
Published
2023-04-20 08:17
Modified
2024-08-02 06:12
Severity ?
EPSS score ?
Summary
Oauth authorization codes do not expire when deauthorizing an oauth2 app
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:12:20.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.7.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.10"
},
{
"status": "unaffected",
"version": "7.9.3"
},
{
"status": "unaffected",
"version": "7.8.4"
},
{
"status": "unaffected",
"version": "7.7.5"
},
{
"status": "unaffected",
"version": "7.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "whitehattushu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.\u003cbr\u003e"
}
],
"value": "Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-20T08:17:04.731Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.10, v7.9.3, v7.8.4, v7.7.5, v7.1.9 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.10, v7.9.3, v7.8.4, v7.7.5, v7.1.9 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00157",
"defect": [
"https://mattermost.atlassian.net/browse/MM-50219"
],
"discovery": "EXTERNAL"
},
"title": "Oauth authorization codes do not expire when deauthorizing an oauth2 app",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2193",
"datePublished": "2023-04-20T08:17:04.731Z",
"dateReserved": "2023-04-20T08:16:27.253Z",
"dateUpdated": "2024-08-02T06:12:20.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-40884
Vulnerability from cvelistv5
Published
2024-08-22 15:17
Modified
2024-08-22 18:08
Severity ?
EPSS score ?
Summary
Unauthorized disabling of invite URL
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40884",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T18:06:51.539483Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T18:08:37.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "omar ahmed (omar-ahmed)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0 fail to properly enforce permissions which allows a team admin user without \"Add Team Members\" permission to disable the invite URL.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0 fail to properly enforce permissions which allows a team admin user without \"Add Team Members\" permission to disable the invite URL."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T15:17:10.938Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00352",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58556"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized disabling of invite URL",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-40884",
"datePublished": "2024-08-22T15:17:10.938Z",
"dateReserved": "2024-08-16T17:27:00.338Z",
"dateUpdated": "2024-08-22T18:08:37.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3584
Vulnerability from cvelistv5
Published
2023-07-17 15:23
Modified
2024-10-21 19:50
Severity ?
EPSS score ?
Summary
Member can create team with team override scheme
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:55.933Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:50:30.477091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:50:40.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.10.3 "
},
{
"status": "unaffected",
"version": "7.8.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "ramyadav (cenman)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly check the authorization of\u0026nbsp;POST /api/v4/teams when passing a team override scheme ID in the request,\u0026nbsp;allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly check the authorization of\u00a0POST /api/v4/teams when passing a team override scheme ID in the request,\u00a0allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:23:02.918Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.8.5, v7.10.3\u0026nbsp;or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.8.5, v7.10.3\u00a0or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00169",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51361"
],
"discovery": "EXTERNAL"
},
"title": "Member can create team with team override scheme ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3584",
"datePublished": "2023-07-17T15:23:02.918Z",
"dateReserved": "2023-07-10T13:35:18.046Z",
"dateUpdated": "2024-10-21T19:50:40.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1002
Vulnerability from cvelistv5
Published
2022-03-18 18:00
Modified
2024-08-02 23:47
Severity ?
EPSS score ?
Summary
HTML Injection while inviting Guests
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC | |
| https://hackerone.com/reports/1443567 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1443567"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Imamul Mursalin for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-18T18:00:21",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1443567"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v6.4 or higher"
}
],
"source": {
"advisory": "MMSA-2022-0088",
"defect": [
"https://mattermost.atlassian.net/browse/MM-40895"
],
"discovery": "EXTERNAL"
},
"title": "HTML Injection while inviting Guests ",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-1002",
"STATE": "PUBLIC",
"TITLE": "HTML Injection while inviting Guests "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.3"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Imamul Mursalin for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
},
{
"name": "https://hackerone.com/reports/1443567",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1443567"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v6.4 or higher"
}
],
"source": {
"advisory": "MMSA-2022-0088",
"defect": [
"https://mattermost.atlassian.net/browse/MM-40895"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-1002",
"datePublished": "2022-03-18T18:00:22",
"dateReserved": "2022-03-17T00:00:00",
"dateUpdated": "2024-08-02T23:47:42.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1953
Vulnerability from cvelistv5
Published
2024-02-29 10:42
Modified
2024-08-16 20:58
Severity ?
EPSS score ?
Summary
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T20:58:10.089758Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T20:58:25.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.4.1",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.3.0"
},
{
"lessThanOrEqual": "9.2.4",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5"
},
{
"status": "unaffected",
"version": "9.4.2"
},
{
"status": "unaffected",
"version": "9.3.1"
},
{
"status": "unaffected",
"version": "9.2.5"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.\u003c/p\u003e"
}
],
"value": "Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T10:42:41.576Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5, 9.4.2, 9.3.1, 9.2.5, 8.1.9, or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5, 9.4.2, 9.3.1, 9.2.5, 8.1.9, or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00273",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55093"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-1953",
"datePublished": "2024-02-29T10:42:41.576Z",
"dateReserved": "2024-02-27T19:37:27.574Z",
"dateUpdated": "2024-08-16T20:58:25.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-45833
Vulnerability from cvelistv5
Published
2024-09-16 06:41
Modified
2024-09-16 13:04
Severity ?
EPSS score ?
Summary
Mobile password gets saved in dictionary under conditions
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45833",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T13:04:05.356788Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T13:04:55.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.18.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.19.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "@lolcabanon"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u0026nbsp;password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..\u003c/p\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u00a0password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T06:41:47.347Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.19.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.19.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00314",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56932"
],
"discovery": "EXTERNAL"
},
"title": "Mobile password gets saved in dictionary under conditions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-45833",
"datePublished": "2024-09-16T06:41:47.347Z",
"dateReserved": "2024-09-10T08:20:38.452Z",
"dateUpdated": "2024-09-16T13:04:55.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1776
Vulnerability from cvelistv5
Published
2023-03-31 11:29
Modified
2024-08-02 05:57
Severity ?
EPSS score ?
Summary
Stored XSS via SVG attachment on Boards
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:25.242Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.7.1",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.5",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThan": "7.8.0",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.0"
},
{
"status": "unaffected",
"version": "7.7.2"
},
{
"status": "unaffected",
"version": "7.1.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Veshraj Ghimire (ghimire_veshraj)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eBoards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-31T11:29:36.185Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00139",
"defect": [
"https://mattermost.atlassian.net/browse/MM-50167"
],
"discovery": "EXTERNAL"
},
"title": "Stored XSS via SVG attachment on Boards",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1776",
"datePublished": "2023-03-31T11:29:36.185Z",
"dateReserved": "2023-03-31T11:29:24.127Z",
"dateUpdated": "2024-08-02T05:57:25.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-5270
Vulnerability from cvelistv5
Published
2024-05-26 13:30
Modified
2024-08-01 21:11
Severity ?
EPSS score ?
Summary
SAML to email switch possible when email signin is disabled
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mattermost_server",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.x",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.1",
"status": "affected",
"version": "9.7.x",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "9.6.x",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.x",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.8.0"
},
{
"status": "unaffected",
"version": "9.5.4"
},
{
"status": "unaffected",
"version": "9.7.2"
},
{
"status": "unaffected",
"version": "9.6.2"
},
{
"status": "unaffected",
"version": "8.1.13"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T15:10:22.760839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:02:41.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:11:12.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.1",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.8.0"
},
{
"status": "unaffected",
"version": "9.5.4"
},
{
"status": "unaffected",
"version": "9.7.2"
},
{
"status": "unaffected",
"version": "9.6.2"
},
{
"status": "unaffected",
"version": "8.1.13"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Grzegorz Misiun from ING"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.3, 9.7.x \u0026lt;= 9.7.1, 9.6.x \u0026lt;= 9.6.1 and 8.1.x \u0026lt;= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.3, 9.7.x \u003c= 9.7.1, 9.6.x \u003c= 9.6.1 and 8.1.x \u003c= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-26T13:30:53.070Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.8.0, 9.5.4, 9.7.2, 9.6.2, 8.1.13 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.8.0, 9.5.4, 9.7.2, 9.6.2, 8.1.13 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00316",
"defect": [
"https://mattermost.atlassian.net/browse/MM-57090"
],
"discovery": "EXTERNAL"
},
"title": "SAML to email switch possible when email signin is disabled",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-5270",
"datePublished": "2024-05-26T13:30:53.070Z",
"dateReserved": "2024-05-23T13:51:58.596Z",
"dateUpdated": "2024-08-01T21:11:12.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-4195
Vulnerability from cvelistv5
Published
2024-04-26 08:26
Modified
2024-08-01 20:33
Severity ?
EPSS score ?
Summary
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jenkins:mattermost:*:*:*:*:*:jenkins:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "jenkins",
"versions": [
{
"status": "unaffected",
"version": "9.7.0"
},
{
"status": "unaffected",
"version": "9.6.1"
},
{
"status": "unaffected",
"version": "9.5.3"
},
{
"status": "unaffected",
"version": "8.1.12"
},
{
"status": "affected",
"version": "9.6.0"
},
{
"status": "affected",
"version": "9.5.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4195",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-26T18:19:58.356965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:34.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.6.0"
},
{
"lessThanOrEqual": "9.5.2",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.11",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.7.0"
},
{
"status": "unaffected",
"version": "9.6.1"
},
{
"status": "unaffected",
"version": "9.5.3"
},
{
"status": "unaffected",
"version": "8.1.12"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T08:26:00.685Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 8.1.12 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 8.1.12 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00305",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56535"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-4195",
"datePublished": "2024-04-26T08:26:00.685Z",
"dateReserved": "2024-04-25T15:39:59.871Z",
"dateUpdated": "2024-08-01T20:33:52.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1831
Vulnerability from cvelistv5
Published
2023-04-17 14:21
Modified
2024-08-02 06:05
Severity ?
EPSS score ?
Summary
User password logged in audit logs
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:05:26.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.7.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.7.3"
},
{
"status": "unaffected",
"version": "7.8.2"
},
{
"status": "unaffected",
"version": "7.9.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jo Astoreca"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost fails to redact \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003efrom audit logs\u0026nbsp;\u003c/span\u003ethe user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). \u003cbr\u003e"
}
],
"value": "Mattermost fails to redact from audit logs\u00a0the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-17T14:52:11.171Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.7.3, v7.8.2, v7.9.1 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.7.3, v7.8.2, v7.9.1 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00146",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51320"
],
"discovery": "INTERNAL"
},
"title": "User password logged in audit logs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1831",
"datePublished": "2023-04-17T14:21:13.233Z",
"dateReserved": "2023-04-04T12:11:43.194Z",
"dateUpdated": "2024-08-02T06:05:26.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-50333
Vulnerability from cvelistv5
Published
2024-01-02 09:53
Modified
2024-08-02 22:16
Severity ?
EPSS score ?
Summary
Lack of restriction to manage group names for freshly demoted guests
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Leandro Chaves (brdoors3)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing\u0026nbsp;freshly demoted guests to change group names.\u003c/p\u003e"
}
],
"value": "Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing\u00a0freshly demoted guests to change group names.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T09:53:01.990Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.7, 9.3.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.7, 9.3.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00263",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54773"
],
"discovery": "EXTERNAL"
},
"title": "Lack of restriction to manage group names for freshly demoted guests",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-50333",
"datePublished": "2024-01-02T09:53:01.990Z",
"dateReserved": "2023-12-21T08:00:43.432Z",
"dateUpdated": "2024-08-02T22:16:46.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1562
Vulnerability from cvelistv5
Published
2023-03-22 10:16
Modified
2024-08-02 05:49
Severity ?
EPSS score ?
Summary
Full name revealed via /plugins/focalboard/api/v2/users
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "7.4.0"
},
{
"status": "unaffected",
"version": "7.5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "foobar7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost fails to check the \"Show Full Name\" setting when rendering the result for the \u003ctt\u003e/plugins/focalboard/api/v2/users\u003c/tt\u003e API call, allowing an attacker to learn the full name of a board owner.\u003cbr\u003e"
}
],
"value": "Mattermost fails to check the \"Show Full Name\" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-22T10:16:19.862Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.5.0 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.5.0 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00136",
"defect": [
"https://mattermost.atlassian.net/browse/MM-48009"
],
"discovery": "EXTERNAL"
},
"title": "Full name revealed via /plugins/focalboard/api/v2/users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1562",
"datePublished": "2023-03-22T10:16:19.862Z",
"dateReserved": "2023-03-22T10:13:30.802Z",
"dateUpdated": "2024-08-02T05:49:11.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-34029
Vulnerability from cvelistv5
Published
2024-05-26 13:27
Modified
2024-08-02 02:42
Severity ?
EPSS score ?
Summary
AD/LDAP Group Members Leak
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.1",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.8.0"
},
{
"status": "unaffected",
"version": "9.5.4"
},
{
"status": "unaffected",
"version": "9.7.2"
},
{
"status": "unaffected",
"version": "8.1.13"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T14:46:22.213261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:41:10.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:42:59.966Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.1",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.8.0"
},
{
"status": "unaffected",
"version": "9.5.4"
},
{
"status": "unaffected",
"version": "9.7.2"
},
{
"status": "unaffected",
"version": "8.1.13"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.3, 9.7.x \u0026lt;= 9.7.1 and 8.1.x \u0026lt;= 8.1.12 fail to perform a proper authorization check in the /api/v4/groups/\u0026lt;group-id\u0026gt;/channels/\u0026lt;channel-id\u0026gt;/link endpoint\u0026nbsp;which allows a user\u0026nbsp;to learn the members of\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;an AD/LDAP group that is linked to a team by adding the group to a channel, even if the user has no access to the team.\u0026nbsp;\u0026nbsp;\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.3, 9.7.x \u003c= 9.7.1 and 8.1.x \u003c= 8.1.12 fail to perform a proper authorization check in the /api/v4/groups/\u003cgroup-id\u003e/channels/\u003cchannel-id\u003e/link endpoint\u00a0which allows a user\u00a0to learn the members of\u00a0an AD/LDAP group that is linked to a team by adding the group to a channel, even if the user has no access to the team."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-26T13:27:27.082Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.8.0, 9.5.4, 9.7.2, 8.1.13 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.8.0, 9.5.4, 9.7.2, 8.1.13 or higher."
}
],
"source": {
"advisory": "MMSA-2023-00288",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55313"
],
"discovery": "EXTERNAL"
},
"title": "AD/LDAP Group Members Leak",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-34029",
"datePublished": "2024-05-26T13:27:27.082Z",
"dateReserved": "2024-05-23T10:57:59.882Z",
"dateUpdated": "2024-08-02T02:42:59.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39839
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-01 18:04
Severity ?
EPSS score ?
Summary
Remote username set to an arbitrary string by remote user
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39839",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T18:04:29.704681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:42.351Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.1",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.1 fail to disallow\u0026nbsp;users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn\u0027t been synced before.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.1 fail to disallow\u00a0users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn\u0027t been synced before."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:07.339Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00354",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58574"
],
"discovery": "INTERNAL"
},
"title": "Remote username set to an arbitrary string by remote user",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39839",
"datePublished": "2024-08-01T14:05:07.339Z",
"dateReserved": "2024-07-23T18:35:14.805Z",
"dateUpdated": "2024-08-01T18:04:42.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-4182
Vulnerability from cvelistv5
Published
2024-04-26 08:25
Modified
2024-08-01 20:33
Severity ?
EPSS score ?
Summary
Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.7",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-30T14:54:08.480505Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:13.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.520Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.6.0"
},
{
"lessThanOrEqual": "9.5.2",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.4",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.11",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.7.0"
},
{
"status": "unaffected",
"version": "9.6.1"
},
{
"status": "unaffected",
"version": "9.5.3"
},
{
"status": "unaffected",
"version": "9.4.5"
},
{
"status": "unaffected",
"version": "8.1.12"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users\u0027 web clients via a malformed custom status.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users\u0027 web clients via a malformed custom status.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T08:25:37.093Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00272",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53185"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-4182",
"datePublished": "2024-04-26T08:25:37.093Z",
"dateReserved": "2024-04-25T14:04:51.237Z",
"dateUpdated": "2024-08-01T20:33:52.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1332
Vulnerability from cvelistv5
Published
2022-04-13 17:06
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Restricted custom admin role can bypass the restrictions and view the server logs and server config.json file contents
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:05.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost ",
"versions": [
{
"lessThan": "6.4.2",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"lessThan": "6.3.5",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"lessThan": "6.2.5",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"lessThan": "5.37.9",
"status": "affected",
"version": "5.37",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-13T17:06:03",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v6.4.2, 6.3.5, 6.2.5, or 5.37.9, depending on the minor version being run"
}
],
"source": {
"advisory": "MMSA-2022-0094",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42271"
],
"discovery": "INTERNAL"
},
"title": "Restricted custom admin role can bypass the restrictions and view the server logs and server config.json file contents",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-1332",
"STATE": "PUBLIC",
"TITLE": "Restricted custom admin role can bypass the restrictions and view the server logs and server config.json file contents"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.4",
"version_value": "6.4.2"
},
{
"version_affected": "\u003c",
"version_name": "6.3",
"version_value": "6.3.5"
},
{
"version_affected": "\u003c",
"version_name": "6.2",
"version_value": "6.2.5"
},
{
"version_affected": "\u003c",
"version_name": "5.37",
"version_value": "5.37.9"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v6.4.2, 6.3.5, 6.2.5, or 5.37.9, depending on the minor version being run"
}
],
"source": {
"advisory": "MMSA-2022-0094",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42271"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-1332",
"datePublished": "2022-04-13T17:06:03",
"dateReserved": "2022-04-13T00:00:00",
"dateUpdated": "2024-08-03T00:03:05.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3582
Vulnerability from cvelistv5
Published
2023-07-17 15:21
Modified
2024-10-21 19:59
Severity ?
EPSS score ?
Summary
Lack of channel membership check when linking a board to a channel
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.026Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3582",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:54:43.364581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:59:17.695Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.10.3"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.8.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ossi V\u00e4\u00e4n\u00e4nen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don\u0027t have access to,\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don\u0027t have access to,\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:21:35.038Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.8.7,\u0026nbsp;v7.9.5,\u0026nbsp;v7.10.3\u0026nbsp;or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.8.7,\u00a0v7.9.5,\u00a0v7.10.3\u00a0or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00147",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51062"
],
"discovery": "INTERNAL"
},
"title": "Lack of channel membership check when linking a board to a channel",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3582",
"datePublished": "2023-07-17T15:21:35.038Z",
"dateReserved": "2023-07-10T12:41:59.203Z",
"dateUpdated": "2024-10-21T19:59:17.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-43813
Vulnerability from cvelistv5
Published
2024-08-22 06:30
Modified
2024-08-22 19:53
Severity ?
EPSS score ?
Summary
IDOR when marking read a user's channel
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T19:53:22.385207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T19:53:37.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0 fail to enforce proper access controls which allows\u0026nbsp;any authenticated user, including guests, to mark any channel inside any team as read for any user.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0 fail to enforce proper access controls which allows\u00a0any authenticated user, including guests, to mark any channel inside any team as read for any user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T06:30:58.923Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.5.8, 9.10.1 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00364",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58836"
],
"discovery": "EXTERNAL"
},
"title": "IDOR when marking read a user\u0027s channel",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-43813",
"datePublished": "2024-08-22T06:30:58.923Z",
"dateReserved": "2024-08-20T16:09:35.890Z",
"dateUpdated": "2024-08-22T19:53:37.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39807
Vulnerability from cvelistv5
Published
2024-07-03 08:31
Modified
2024-08-02 04:26
Severity ?
EPSS score ?
Summary
Channel IDs of archived/restored channels leaked via webhook events
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T13:25:01.476733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T20:06:19.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:16.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.8.0"
},
{
"lessThanOrEqual": "9.5.5",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.9.0"
},
{
"status": "unaffected",
"version": "9.8.1"
},
{
"status": "unaffected",
"version": "9.5.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Harrison Healey"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.5 and \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.8.0\u0026nbsp;\u003c/span\u003efail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.5 and 9.8.0\u00a0fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T08:31:58.312Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.9.0, 9.8.1, 9.5.6 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.9.0, 9.8.1, 9.5.6 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00318",
"defect": [
"https://mattermost.atlassian.net/browse/MM-57073"
],
"discovery": "INTERNAL"
},
"title": "Channel IDs of archived/restored channels leaked via webhook events",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39807",
"datePublished": "2024-07-03T08:31:58.312Z",
"dateReserved": "2024-07-01T10:22:11.574Z",
"dateUpdated": "2024-08-02T04:26:16.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1942
Vulnerability from cvelistv5
Published
2024-02-29 10:41
Modified
2024-08-12 13:16
Severity ?
EPSS score ?
Summary
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T13:16:00.855584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T13:16:32.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.2.4",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.3.0"
},
{
"status": "unaffected",
"version": "9.4"
},
{
"status": "unaffected",
"version": "9.3.1"
},
{
"status": "unaffected",
"version": "9.2.5"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.\u003c/p\u003e"
}
],
"value": "Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T10:41:38.292Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.4, 9.3.1, 9.2.5, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.4, 9.3.1, 9.2.5, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00283",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55495"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-1942",
"datePublished": "2024-02-29T10:41:38.292Z",
"dateReserved": "2024-02-27T18:10:31.220Z",
"dateUpdated": "2024-08-12T13:16:32.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1952
Vulnerability from cvelistv5
Published
2024-02-29 10:42
Modified
2024-08-01 18:56
Severity ?
EPSS score ?
Summary
Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T18:05:32.069105Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:20.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.4"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts\u0027 contents in channels they are not a member of.\u003c/p\u003e"
}
],
"value": "Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts\u0027 contents in channels they are not a member of.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T10:42:15.362Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.4, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.4, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00265",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53180"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-1952",
"datePublished": "2024-02-29T10:42:15.362Z",
"dateReserved": "2024-02-27T19:21:09.017Z",
"dateUpdated": "2024-08-01T18:56:22.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-43105
Vulnerability from cvelistv5
Published
2024-08-23 07:25
Modified
2024-08-23 16:47
Severity ?
EPSS score ?
Summary
Excessive Resource Consumption via `/export`
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T16:47:44.755006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T16:47:53.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c0rydoras (c0rydoras)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Plugin Channel Export versions \u0026lt;=1.0.0 fail to restrict concurrent runs of the /export command which allows a user to consume excessive resource by running the /export command multiple times at once.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost Plugin Channel Export versions \u003c=1.0.0 fail to restrict concurrent runs of the /export command which allows a user to consume excessive resource by running the /export command multiple times at once."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T07:25:00.371Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Plugin Channel Export to versions 1.0.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Plugin Channel Export to versions 1.0.1 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00367",
"defect": [
"https://mattermost.atlassian.net/browse/MM-59031"
],
"discovery": "EXTERNAL"
},
"title": "Excessive Resource Consumption via `/export`",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-43105",
"datePublished": "2024-08-23T07:25:00.371Z",
"dateReserved": "2024-08-20T16:09:35.912Z",
"dateUpdated": "2024-08-23T16:47:53.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2408
Vulnerability from cvelistv5
Published
2022-07-14 17:25
Modified
2024-08-03 00:39
Severity ?
EPSS score ?
Summary
Guest accounts can list all public channels
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "6.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "6.4.x"
},
{
"status": "affected",
"version": "6.7.x 6.7.0"
},
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "6.5.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.6.1",
"status": "affected",
"version": "6.6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Rohit KC for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T17:25:20",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00110",
"defect": [
"https://mattermost.atlassian.net/browse/MM-44580"
],
"discovery": "EXTERNAL"
},
"title": "Guest accounts can list all public channels",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-2408",
"STATE": "PUBLIC",
"TITLE": "Guest accounts can list all public channels"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.3.8"
},
{
"version_affected": "=",
"version_name": "6.4.x",
"version_value": "6.4.x"
},
{
"version_affected": "\u003c=",
"version_name": "6.5.x",
"version_value": "6.5.1"
},
{
"version_affected": "\u003c=",
"version_name": "6.6.x",
"version_value": "6.6.1"
},
{
"version_affected": "=",
"version_name": "6.7.x",
"version_value": "6.7.0"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Rohit KC for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00110",
"defect": [
"https://mattermost.atlassian.net/browse/MM-44580"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-2408",
"datePublished": "2022-07-14T17:25:20",
"dateReserved": "2022-07-14T00:00:00",
"dateUpdated": "2024-08-03T00:39:07.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1774
Vulnerability from cvelistv5
Published
2023-03-31 11:14
Modified
2024-08-02 05:57
Severity ?
EPSS score ?
Summary
Unauthorized email invite to a private channel
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:25.193Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.7.2"
},
{
"status": "unaffected",
"version": "7.8.0"
},
{
"status": "unaffected",
"version": "7.1.6"
},
{
"lessThanOrEqual": "7.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "hackit_BhaRat"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eWhen processing an email invite to a private channel on a team, Mattermost fails to validate the inviter\u0027s permission to that channel, allowing an attacker to invite themselves to a private channel.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter\u0027s permission to that channel, allowing an attacker to invite themselves to a private channel.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-31T11:14:00.954Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00137",
"defect": [
"https://mattermost.atlassian.net/browse/MM-49813"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized email invite to a private channel",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1774",
"datePublished": "2023-03-31T11:14:00.954Z",
"dateReserved": "2023-03-31T11:12:43.830Z",
"dateUpdated": "2024-08-02T05:57:25.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3581
Vulnerability from cvelistv5
Published
2023-07-17 15:20
Modified
2024-10-30 13:54
Severity ?
EPSS score ?
Summary
WebSockets accept connections from HTTPS origin
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.497Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T13:54:36.582514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T13:54:50.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": " 7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "\u00a07.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:20:00.186Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.8.7,\u0026nbsp;v7.9.5,\u0026nbsp;v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.8.7,\u00a0v7.9.5,\u00a0v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00200",
"defect": [
"https://mattermost.atlassian.net/browse/MM-49701"
],
"discovery": "INTERNAL"
},
"title": "WebSockets accept connections from HTTPS origin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3581",
"datePublished": "2023-07-17T15:20:00.186Z",
"dateReserved": "2023-07-10T12:32:13.548Z",
"dateUpdated": "2024-10-30T13:54:50.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2786
Vulnerability from cvelistv5
Published
2023-06-16 08:43
Modified
2024-08-02 06:33
Severity ?
EPSS score ?
Summary
Channel commands execution doesn't properly verify permissions
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.752Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.10.0"
},
{
"status": "unaffected",
"version": "7.1.10"
},
{
"status": "unaffected",
"version": "7.8.5"
},
{
"status": "unaffected",
"version": "7.9.4"
},
{
"status": "unaffected",
"version": "7.10.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "ramsakal"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly check the\u0026nbsp;permissions when executing commands allowing a member \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewith no permissions\u0026nbsp;\u003c/span\u003eto post a message in a channel to actually post it by executing channel commands.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly check the\u00a0permissions when executing commands allowing a member with no permissions\u00a0to post a message in a channel to actually post it by executing channel commands.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T08:43:49.826Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost Server to versions v7.1.10, v7.8.5, v7.9.4, v.7.10.1 or higher."
}
],
"value": "Update Mattermost Server to versions v7.1.10, v7.8.5, v7.9.4, v.7.10.1 or higher."
}
],
"source": {
"advisory": "MMSA-2023-00172",
"defect": [
"https://mattermost.atlassian.net/browse/MM-50222"
],
"discovery": "EXTERNAL"
},
"title": "Channel commands execution doesn\u0027t properly verify permissions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2786",
"datePublished": "2023-06-16T08:43:49.826Z",
"dateReserved": "2023-05-18T10:49:51.062Z",
"dateUpdated": "2024-08-02T06:33:05.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-40886
Vulnerability from cvelistv5
Published
2024-08-22 06:32
Modified
2024-08-22 13:14
Severity ?
EPSS score ?
Summary
One-click Client-Side Path Traversal Leading to CSRF in User Management admin page
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40886",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T13:13:52.990685Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T13:14:08.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.9.2"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
},
{
"status": "unaffected",
"version": "9.8.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0, 9.8.x \u0026lt;= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for\u0026nbsp;a one-click client-side path traversal that is leading to CSRF in User Management page of the system console.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0, 9.8.x \u003c= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for\u00a0a one-click client-side path traversal that is leading to CSRF in User Management page of the system console."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T06:32:11.786Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00368",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58839"
],
"discovery": "EXTERNAL"
},
"title": "One-click Client-Side Path Traversal Leading to CSRF in User Management admin page",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-40886",
"datePublished": "2024-08-22T06:32:11.786Z",
"dateReserved": "2024-08-20T16:09:35.907Z",
"dateUpdated": "2024-08-22T13:14:08.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-32945
Vulnerability from cvelistv5
Published
2024-07-15 08:42
Modified
2024-08-02 02:27
Severity ?
EPSS score ?
Summary
LaTeX post content manipulation via renderer state leak across contexts
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "2.16.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.17.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32945",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T15:37:36.760670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T15:44:30.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:27:52.391Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.16.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.17.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.16.0 fail to protect against abuse of a globally shared MathJax state\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003ewhich allows an attacker to change the contents of a LateX post, by creating another post with specific macro definitions.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.16.0 fail to protect against abuse of a globally shared MathJax state\u00a0which allows an attacker to change the contents of a LateX post, by creating another post with specific macro definitions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-909",
"description": "CWE-909: Missing Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T08:42:19.268Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.17.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.17.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00336",
"defect": [
"https://mattermost.atlassian.net/browse/MM-57561"
],
"discovery": "EXTERNAL"
},
"title": "LaTeX post content manipulation via renderer state leak across contexts",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-32945",
"datePublished": "2024-07-15T08:42:19.268Z",
"dateReserved": "2024-07-11T14:48:59.891Z",
"dateUpdated": "2024-08-02T02:27:52.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-48732
Vulnerability from cvelistv5
Published
2024-01-02 09:52
Modified
2024-08-02 21:37
Severity ?
EPSS score ?
Summary
Keywords that trigger mentions are leaked to other users
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:37:54.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Espino Garcia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to scope the WebSocket response around notified users\u0026nbsp;to a each user separately resulting in the\u0026nbsp;WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.\u003c/p\u003e"
}
],
"value": "Mattermost fails to scope the WebSocket response around notified users\u00a0to a each user separately resulting in the\u00a0WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T09:52:01.147Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.7, 9.3.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.7, 9.3.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00243",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54237"
],
"discovery": "INTERNAL"
},
"title": "Keywords that trigger mentions are leaked to other users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-48732",
"datePublished": "2024-01-02T09:52:01.147Z",
"dateReserved": "2023-12-21T08:00:43.425Z",
"dateUpdated": "2024-08-02T21:37:54.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-4198
Vulnerability from cvelistv5
Published
2024-04-26 08:26
Modified
2024-08-01 20:33
Severity ?
EPSS score ?
Summary
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-24T19:30:28.234536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T19:30:36.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.786Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.6.0"
},
{
"lessThanOrEqual": "9.5.2",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.11",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.7.0"
},
{
"status": "unaffected",
"version": "9.6.1"
},
{
"status": "unaffected",
"version": "9.5.3"
},
{
"status": "unaffected",
"version": "8.1.12"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T08:26:11.493Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 8.1.12 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 8.1.12 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00313",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56928"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-4198",
"datePublished": "2024-04-26T08:26:11.493Z",
"dateReserved": "2024-04-25T16:39:53.181Z",
"dateUpdated": "2024-08-01T20:33:52.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2406
Vulnerability from cvelistv5
Published
2022-07-14 17:23
Modified
2024-08-03 00:39
Severity ?
EPSS score ?
Summary
Malicious imports can lead to Denial of Service
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.381Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "6.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "6.4.x"
},
{
"status": "affected",
"version": "6.7.x 6.7.0"
},
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "6.5.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.6.1",
"status": "affected",
"version": "6.6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing large files via the Slack import REST API."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T17:23:55",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00102",
"discovery": "INTERNAL"
},
"title": "Malicious imports can lead to Denial of Service",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-2406",
"STATE": "PUBLIC",
"TITLE": "Malicious imports can lead to Denial of Service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.3.8"
},
{
"version_affected": "=",
"version_name": "6.4.x",
"version_value": "6.4.x"
},
{
"version_affected": "\u003c=",
"version_name": "6.5.x",
"version_value": "6.5.1"
},
{
"version_affected": "\u003c=",
"version_name": "6.6.x",
"version_value": "6.6.1"
},
{
"version_affected": "=",
"version_name": "6.7.x",
"version_value": "6.7.0"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing large files via the Slack import REST API."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00102",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-2406",
"datePublished": "2022-07-14T17:23:55",
"dateReserved": "2022-07-14T00:00:00",
"dateUpdated": "2024-08-03T00:39:07.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1385
Vulnerability from cvelistv5
Published
2022-04-19 20:26
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Invitation Email is resent as a Reminder after invalidating pending email invites
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC | |
| https://hackerone.com/reports/1486820 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1486820"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "6.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to mr_anon (mr_anksec) for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-664",
"description": "CWE-664 Improper Control of a Resource Through its Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T20:26:27",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1486820"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v6.5 or higher"
}
],
"source": {
"advisory": "MMSA-2022-0092",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42026"
],
"discovery": "EXTERNAL"
},
"title": "Invitation Email is resent as a Reminder after invalidating pending email invites",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-1385",
"STATE": "PUBLIC",
"TITLE": "Invitation Email is resent as a Reminder after invalidating pending email invites"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.5.0"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to mr_anon (mr_anksec) for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-664 Improper Control of a Resource Through its Lifetime"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
},
{
"name": "https://hackerone.com/reports/1486820",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1486820"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v6.5 or higher"
}
],
"source": {
"advisory": "MMSA-2022-0092",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42026"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-1385",
"datePublished": "2022-04-19T20:26:27",
"dateReserved": "2022-04-18T00:00:00",
"dateUpdated": "2024-08-03T00:03:06.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36241
Vulnerability from cvelistv5
Published
2024-05-26 13:32
Modified
2024-08-02 03:30
Severity ?
EPSS score ?
Summary
/playbook add slash command allows viewing arbitrary post contents
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T17:41:17.873917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T17:41:28.361Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:30:13.174Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.7.0"
},
{
"status": "unaffected",
"version": "9.5.4"
},
{
"status": "unaffected",
"version": "9.6.2"
},
{
"status": "unaffected",
"version": "8.1.13"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.3, 9.6.x \u0026lt;= 9.6.1 and 8.1.x \u0026lt;= 8.1.12 fail to enforce proper access controls which allows user to\u0026nbsp;view arbitrary post contents via the\u0026nbsp;/playbook add slash command\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.3, 9.6.x \u003c= 9.6.1 and 8.1.x \u003c= 8.1.12 fail to enforce proper access controls which allows user to\u00a0view arbitrary post contents via the\u00a0/playbook add slash command"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-26T13:32:18.865Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.7.0, 9.5.4, 9.6.2, 8.1.13 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.7.0, 9.5.4, 9.6.2, 8.1.13 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00302",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56344"
],
"discovery": "INTERNAL"
},
"title": "/playbook add slash command allows viewing arbitrary post contents",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-36241",
"datePublished": "2024-05-26T13:32:18.865Z",
"dateReserved": "2024-05-23T10:57:59.901Z",
"dateUpdated": "2024-08-02T03:30:13.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20851
Vulnerability from cvelistv5
Published
2020-06-19 14:02
Modified
2024-08-05 02:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Mobile Apps before 1.26.0. An attacker can use directory traversal with the Video Preview feature to overwrite arbitrary files on a device.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.404Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Mobile Apps before 1.26.0. An attacker can use directory traversal with the Video Preview feature to overwrite arbitrary files on a device."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T14:02:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20851",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Mobile Apps before 1.26.0. An attacker can use directory traversal with the Video Preview feature to overwrite arbitrary files on a device."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20851",
"datePublished": "2020-06-19T14:02:54",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-08-05T02:53:09.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2515
Vulnerability from cvelistv5
Published
2023-05-12 08:53
Modified
2024-08-02 06:26
Severity ?
EPSS score ?
Summary
Privilege escalation to system admin via personal access tokens
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.153Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.7.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.1.8"
},
{
"status": "unaffected",
"version": "7.7.4"
},
{
"status": "unaffected",
"version": "7.8.3"
},
{
"status": "unaffected",
"version": "7.9.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Eva Sarafianou"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin\u003cbr\u003e"
}
],
"value": "Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T08:53:44.111Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost Server to versions 7.1.8, 7.7.4, 7.8.3, 7.9.2 or higher.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Update Mattermost Server to versions 7.1.8, 7.7.4, 7.8.3, 7.9.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00162",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51723"
],
"discovery": "INTERNAL"
},
"title": "Privilege escalation to system admin via personal access tokens",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2515",
"datePublished": "2023-05-12T08:53:44.111Z",
"dateReserved": "2023-05-04T11:36:47.883Z",
"dateUpdated": "2024-08-02T06:26:09.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-42406
Vulnerability from cvelistv5
Published
2024-09-26 08:04
Modified
2024-09-26 13:11
Severity ?
EPSS score ?
Summary
Unauthorized access on archived channels
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T13:11:20.126365Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T13:11:34.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.11.0"
},
{
"lessThanOrEqual": "9.10.1",
"status": "affected",
"version": "9.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.9.2",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.8",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "9.11.1"
},
{
"status": "unaffected",
"version": "9.10.2"
},
{
"status": "unaffected",
"version": "9.9.3"
},
{
"status": "unaffected",
"version": "9.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Espino Garcia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.11.x \u0026lt;= 9.11.0, 9.10.x \u0026lt;= 9.10.1, 9.9.x \u0026lt;= 9.9.2 and 9.5.x \u0026lt;= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows\u0026nbsp;an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.11.x \u003c= 9.11.0, 9.10.x \u003c= 9.10.1, 9.9.x \u003c= 9.9.2 and 9.5.x \u003c= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows\u00a0an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T08:04:22.939Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.11.1, 9.10.2, 9.9.3, 9.5.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.0.0, 9.11.1, 9.10.2, 9.9.3, 9.5.9 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00351",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58491"
],
"discovery": "INTERNAL"
},
"title": "Unauthorized access on archived channels",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-42406",
"datePublished": "2024-09-26T08:04:22.939Z",
"dateReserved": "2024-09-23T07:55:36.322Z",
"dateUpdated": "2024-09-26T13:11:34.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-37861
Vulnerability from cvelistv5
Published
2021-12-09 21:32
Modified
2024-08-04 01:30
Severity ?
EPSS score ?
Summary
Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:30:08.712Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost ",
"vendor": "Mattermost ",
"versions": [
{
"lessThanOrEqual": "6.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.0.2 and earlier fails to sufficiently sanitize user\u0027s password in audit logs when user creation fails."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Information Exposure Through Log Files",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-09T21:32:27",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"source": {
"advisory": "MMSA-2021-0072",
"defect": [
"https://mattermost.atlassian.net/browse/MM-39448"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2021-37861",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.0.2"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost 6.0.2 and earlier fails to sufficiently sanitize user\u0027s password in audit logs when user creation fails."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-532 Information Exposure Through Log Files"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"source": {
"advisory": "MMSA-2021-0072",
"defect": [
"https://mattermost.atlassian.net/browse/MM-39448"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2021-37861",
"datePublished": "2021-12-09T21:32:28",
"dateReserved": "2021-08-02T00:00:00",
"dateUpdated": "2024-08-04T01:30:08.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2514
Vulnerability from cvelistv5
Published
2023-05-12 08:56
Modified
2024-08-02 06:26
Severity ?
EPSS score ?
Summary
DB username/password revealed in application logs
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.7.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.1.8"
},
{
"status": "unaffected",
"version": "7.7.4"
},
{
"status": "unaffected",
"version": "7.8.3"
},
{
"status": "unaffected",
"version": "7.9.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Stylianos Rigas"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost Sever fails to \u003cspan style=\"background-color: rgba(63, 67, 80, 0.04);\"\u003eredact\u003c/span\u003e the DB username and password before emitting an application log during server initialization.\u0026nbsp;\u003cbr\u003e"
}
],
"value": "Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization.\u00a0\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T08:56:56.250Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost Server to versions 7.1.8, 7.7.4, 7.8.3, 7.9.2 or higher.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Update Mattermost Server to versions 7.1.8, 7.7.4, 7.8.3, 7.9.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00160",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51765"
],
"discovery": "INTERNAL"
},
"title": "DB username/password revealed in application logs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2514",
"datePublished": "2023-05-12T08:56:56.250Z",
"dateReserved": "2023-05-04T10:06:49.540Z",
"dateUpdated": "2024-08-02T06:26:09.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3577
Vulnerability from cvelistv5
Published
2023-07-17 15:18
Modified
2024-10-21 19:58
Severity ?
EPSS score ?
Summary
Limited blind SSRF to localhost/intranet in interactive dialog implementation
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.833Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3577",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:54:47.990458Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:58:58.448Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.9.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "WGH (wgh_)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly restrict requests to\u0026nbsp;localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited\u0026nbsp;blind SSRF.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly restrict requests to\u00a0localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited\u00a0blind SSRF.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:18:07.871Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions\u0026nbsp; v7.8.7,\u0026nbsp;v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions\u00a0 v7.8.7,\u00a0v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00202",
"defect": [
"https://mattermost.atlassian.net/browse/MM-37690"
],
"discovery": "EXTERNAL"
},
"title": "Limited blind SSRF to localhost/intranet in interactive dialog implementation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3577",
"datePublished": "2023-07-17T15:18:07.871Z",
"dateReserved": "2023-07-10T09:47:27.158Z",
"dateUpdated": "2024-10-21T19:58:58.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3585
Vulnerability from cvelistv5
Published
2023-07-17 15:24
Modified
2024-10-21 19:43
Severity ?
EPSS score ?
Summary
channel DoS by sharing a boards link
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.036Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3585",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:42:37.907997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:43:02.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ossi V\u00e4\u00e4n\u00e4nen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eposting a specially crafted boards link.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by\u00a0posting a specially crafted boards link.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:24:20.975Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.8.7,\u0026nbsp;v7.9.5,\u0026nbsp;v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.8.7,\u00a0v7.9.5,\u00a0v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00168",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51713"
],
"discovery": "EXTERNAL"
},
"title": "channel DoS by sharing a boards link",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3585",
"datePublished": "2023-07-17T15:24:20.975Z",
"dateReserved": "2023-07-10T13:44:28.891Z",
"dateUpdated": "2024-10-21T19:43:02.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39777
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-01 16:07
Severity ?
EPSS score ?
Summary
Malicious remote can invite itself to an arbitrary local channel
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.1",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.2"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T14:33:32.102355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T16:07:03.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.1",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5 and 9.8.x \u0026lt;= 9.8.1 fail to disallow\u0026nbsp;unsolicited invites to expose access to local channels, when shared channels are enabled,\u0026nbsp;which allows a malicious\u0026nbsp;remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5 and 9.8.x \u003c= 9.8.1 fail to disallow\u00a0unsolicited invites to expose access to local channels, when shared channels are enabled,\u00a0which allows a malicious\u00a0remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:03.701Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00331",
"defect": [
"https://mattermost.atlassian.net/browse/MM-57870"
],
"discovery": "INTERNAL"
},
"title": "Malicious remote can invite itself to an arbitrary local channel",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39777",
"datePublished": "2024-08-01T14:05:03.701Z",
"dateReserved": "2024-07-23T17:55:45.316Z",
"dateUpdated": "2024-08-01T16:07:03.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2783
Vulnerability from cvelistv5
Published
2023-06-16 08:39
Modified
2024-08-02 06:33
Severity ?
EPSS score ?
Summary
App Framework does not checks for the secret provided in the incoming webhook request
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost App Framework |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost App Framework",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.10.0"
},
{
"status": "unaffected",
"version": "7.10.1"
},
{
"status": "unaffected",
"version": "7.8.5"
},
{
"status": "unaffected",
"version": "7.9.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rohitesh Gupta"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to\u0026nbsp;modify the contents of the post sent by the Apps.\u003c/p\u003e"
}
],
"value": "Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to\u00a0modify the contents of the post sent by the Apps.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T08:39:26.096Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions Versions 7.8.5, 7.9.4, 7.10.1\u0026nbsp;or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions Versions 7.8.5, 7.9.4, 7.10.1\u00a0or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00151",
"defect": [
"https://mattermost.atlassian.net/browse/MM-49874"
],
"discovery": "INTERNAL"
},
"title": "App Framework does not checks for the secret provided in the incoming webhook request",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2783",
"datePublished": "2023-06-16T08:39:26.096Z",
"dateReserved": "2023-05-18T10:17:10.305Z",
"dateUpdated": "2024-08-02T06:33:05.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-45835
Vulnerability from cvelistv5
Published
2024-09-16 14:27
Modified
2024-09-16 14:42
Severity ?
EPSS score ?
Summary
Insufficient Electron Fuses Configuration
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T14:42:32.264801Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T14:42:39.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "5.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.9.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Doyensec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Desktop App versions \u0026lt;=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access.\u003c/p\u003e"
}
],
"value": "Mattermost Desktop App versions \u003c=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T14:27:47.636Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Desktop App to versions 5.9.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Desktop App to versions 5.9.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00371",
"defect": [
"https://mattermost.atlassian.net/browse/MM-59045"
],
"discovery": "EXTERNAL"
},
"title": "Insufficient Electron Fuses Configuration",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-45835",
"datePublished": "2024-09-16T14:27:47.636Z",
"dateReserved": "2024-09-11T15:59:49.550Z",
"dateUpdated": "2024-09-16T14:42:39.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5333
Vulnerability from cvelistv5
Published
2023-10-09 10:41
Modified
2024-09-05 19:46
Severity ?
EPSS score ?
Summary
Denial of Service via multiple identical User IDs in /api/v4/users/ids
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:08.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5333",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T19:46:22.607275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T19:46:32.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.11"
},
{
"status": "unaffected",
"version": "8.0.3"
},
{
"status": "unaffected",
"version": "8.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to deduplicate input IDs allowing a\u0026nbsp;simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. \u003c/p\u003e"
}
],
"value": "Mattermost fails to deduplicate input IDs allowing a\u00a0simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. \n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T10:41:36.597Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.11, 8.0.3, 8.1.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.11, 8.0.3, 8.1.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00239",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54127"
],
"discovery": "EXTERNAL"
},
"title": " Denial of Service via multiple identical User IDs in /api/v4/users/ids",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5333",
"datePublished": "2023-10-09T10:41:36.597Z",
"dateReserved": "2023-10-02T12:25:25.552Z",
"dateUpdated": "2024-09-05T19:46:32.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-35075
Vulnerability from cvelistv5
Published
2023-11-27 09:09
Modified
2024-08-02 16:23
Severity ?
EPSS score ?
Summary
HTML injection via channel autocomplete
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:23:58.680Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.13"
},
{
"status": "unaffected",
"version": "8.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Harrison Healey"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to use\u0026nbsp; innerText /\u0026nbsp;textContent\u0026nbsp;when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim\u0027s page by create a channel name that is valid HTML. No XSS is possible though.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to use\u00a0 innerText /\u00a0textContent\u00a0when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim\u0027s page by create a channel name that is valid HTML. No XSS is possible though.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T09:09:19.659Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.13, 8.1.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.13, 8.1.4 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00228",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53371"
],
"discovery": "EXTERNAL"
},
"title": "HTML injection via channel autocomplete",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-35075",
"datePublished": "2023-11-27T09:09:19.659Z",
"dateReserved": "2023-11-20T12:06:31.656Z",
"dateUpdated": "2024-08-02T16:23:58.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2784
Vulnerability from cvelistv5
Published
2023-06-16 08:41
Modified
2024-08-02 06:33
Severity ?
EPSS score ?
Summary
Apps Framework allows install requests from regular members via an internal path
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost App Framework |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.794Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost App Framework",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.10.0"
},
{
"status": "unaffected",
"version": "v7.8.5"
},
{
"status": "unaffected",
"version": "v7.9.4"
},
{
"status": "unaffected",
"version": "v7.10.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rohitesh Gupta"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps. "
}
],
"value": "Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T08:41:59.270Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.8.5, v7.9.4, v7.10.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.8.5, v7.9.4, v7.10.1 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00152",
"defect": [
"https://mattermost.atlassian.net/browse/MM-49876"
],
"discovery": "INTERNAL"
},
"title": "Apps Framework allows install requests from regular members via an internal path",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2784",
"datePublished": "2023-06-16T08:41:59.270Z",
"dateReserved": "2023-05-18T10:27:20.883Z",
"dateUpdated": "2024-08-02T06:33:05.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3615
Vulnerability from cvelistv5
Published
2023-07-17 15:33
Modified
2024-10-30 15:21
Severity ?
EPSS score ?
Summary
Lack of server certificate validation in websockets connection
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost iOS app |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.123Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3615",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T15:21:37.005754Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T15:21:49.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "Mattermost iOS app",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.5.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "aapo (aapo)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost iOS app fails\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;to \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eproperly\u0026nbsp;\u003c/span\u003evalidate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost iOS app fails\u00a0to properly\u00a0validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:33:25.752Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost iOS app to version 2.5.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost iOS app to version 2.5.1 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00220",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53219"
],
"discovery": "EXTERNAL"
},
"title": "Lack of server certificate validation in websockets connection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3615",
"datePublished": "2023-07-17T15:33:25.752Z",
"dateReserved": "2023-07-11T09:05:32.504Z",
"dateUpdated": "2024-10-30T15:21:49.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-4044
Vulnerability from cvelistv5
Published
2022-11-23 05:45
Modified
2024-08-03 01:27
Severity ?
EPSS score ?
Summary
Authenticated user could send multiple requests containing a large Auto Responder Message payload and can crash a Mattermost server
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.166Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_transferred"
],
"url": "https://hackerone.com/reports/1680241"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.3",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.*",
"status": "unaffected",
"version": "7.1.4",
"versionType": "semver"
},
{
"lessThan": "7.2.1",
"status": "affected",
"version": "7.2.0",
"versionType": "semver"
},
{
"lessThan": "7.3.1",
"status": "affected",
"version": "7.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages."
}
],
"value": "A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-23T05:45:39.948Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
},
{
"url": "https://hackerone.com/reports/1680241"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.1.4, 7.2.1, 7.3.1, 7.4.0 or higher."
}
],
"value": "Update Mattermost to version v7.1.4, 7.2.1, 7.3.1, 7.4.0 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00120",
"discovery": "EXTERNAL"
},
"title": "Authenticated user could send multiple requests containing a large Auto Responder Message payload and can crash a Mattermost server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-4044",
"datePublished": "2022-11-23T05:45:39.948Z",
"dateReserved": "2022-11-17T05:12:53.140Z",
"dateUpdated": "2024-08-03T01:27:54.166Z",
"requesterUserId": "0a729610-c22f-40e3-9816-673e47743f12",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39830
Vulnerability from cvelistv5
Published
2024-07-03 08:32
Modified
2024-08-02 04:26
Severity ?
EPSS score ?
Summary
Timing attack during remote cluster token comparison when shared channels are enabled
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.7.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.7.4",
"status": "affected",
"version": "9.7.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.6.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.6.2",
"status": "affected",
"version": "9.6.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.5.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.5",
"status": "affected",
"version": "9.5.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39830",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T13:13:17.503877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T13:40:13.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:16.020Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.8.0"
},
{
"lessThanOrEqual": "9.7.4",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.2",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.5",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.9.0"
},
{
"status": "unaffected",
"version": "9.8.1"
},
{
"status": "unaffected",
"version": "9.7.5"
},
{
"status": "unaffected",
"version": "9.6.3"
},
{
"status": "unaffected",
"version": "9.5.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.8.x \u0026lt;= 9.8.0, 9.7.x \u0026lt;= 9.7.4, 9.6.x \u0026lt;= 9.6.2 and 9.5.x \u0026lt;= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ean attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.8.x \u003c= 9.8.0, 9.7.x \u003c= 9.7.4, 9.6.x \u003c= 9.6.2 and 9.5.x \u003c= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T08:32:56.113Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.9.0, 9.8.1, 9.7.5, 9.6.3, 9.5.6 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.9.0, 9.8.1, 9.7.5, 9.6.3, 9.5.6 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00345",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58256"
],
"discovery": "INTERNAL"
},
"title": "Timing attack during remote cluster token comparison when shared channels are enabled",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39830",
"datePublished": "2024-07-03T08:32:56.113Z",
"dateReserved": "2024-07-01T10:22:11.595Z",
"dateUpdated": "2024-08-02T04:26:16.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-52032
Vulnerability from cvelistv5
Published
2024-11-09 17:19
Modified
2024-11-12 14:52
Severity ?
EPSS score ?
Summary
Private channel names leaking when Elasticsearch is enabled
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:51:56.470956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:52:07.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "10.0.0"
},
{
"lessThanOrEqual": "9.11.2",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.1.0"
},
{
"status": "unaffected",
"version": "10.0.1"
},
{
"status": "unaffected",
"version": "9.11.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adrian (thiefmaster)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 10.0.x \u0026lt;= 10.0.0 and 9.11.x \u0026lt;= 9.11.2 fail to properly query ElasticSearch when\u0026nbsp;searching for the channel name in channel switcher\u0026nbsp;which allows an attacker to get private channels names of channels that they are not a member of,\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003ewhen Elasticsearch v8 was enabled.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 10.0.x \u003c= 10.0.0 and 9.11.x \u003c= 9.11.2 fail to properly query ElasticSearch when\u00a0searching for the channel name in channel switcher\u00a0which allows an attacker to get private channels names of channels that they are not a member of,\u00a0when Elasticsearch v8 was enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-09T17:19:35.639Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.1.0, 10.0.1, 9.11.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.1.0, 10.0.1, 9.11.3 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00385",
"defect": [
"https://mattermost.atlassian.net/browse/MM-60649"
],
"discovery": "EXTERNAL"
},
"title": "Private channel names leaking when Elasticsearch is enabled",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-52032",
"datePublished": "2024-11-09T17:19:35.639Z",
"dateReserved": "2024-11-05T09:14:34.860Z",
"dateUpdated": "2024-11-12T14:52:07.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5196
Vulnerability from cvelistv5
Published
2023-09-29 09:22
Modified
2024-09-20 16:02
Severity ?
EPSS score ?
Summary
DoS via Channel Notification Properties
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:07.819Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:10:40.209744Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T16:02:00.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "8.1.0"
},
{
"lessThanOrEqual": "8.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.10"
},
{
"status": "unaffected",
"version": "8.1.1"
},
{
"status": "unaffected",
"version": "8.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to enforce character limits in all possible notification props allowing an attacker to\u0026nbsp;send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users. \u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Mattermost fails to enforce character limits in all possible notification props allowing an attacker to\u00a0send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users. \n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-29T09:22:36.286Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.10,\u0026nbsp;8.0.2, 8.1.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.10,\u00a08.0.2, 8.1.1 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00224",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53415"
],
"discovery": "EXTERNAL"
},
"title": "DoS via Channel Notification Properties",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5196",
"datePublished": "2023-09-29T09:22:36.286Z",
"dateReserved": "2023-09-26T09:37:55.255Z",
"dateUpdated": "2024-09-20T16:02:00.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49874
Vulnerability from cvelistv5
Published
2023-12-12 08:17
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
IDOR when updating the tasks of a private playbook run
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.14",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.2.2"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.0.4"
},
{
"status": "unaffected",
"version": "9.1.3"
},
{
"status": "unaffected",
"version": "7.8.15"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a\u0026nbsp;guest to update the tasks of a private playbook run if they know the run ID.\u003c/p\u003e"
}
],
"value": "Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a\u00a0guest to update the tasks of a private playbook run if they know the run ID.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:17:53.947Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.2.2, 8.1.6, 9.0.4, 9.1.3, 7.8.15 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.2.2, 8.1.6, 9.0.4, 9.1.3, 7.8.15 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00247",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54400"
],
"discovery": "EXTERNAL"
},
"title": "IDOR when updating the tasks of a private playbook run",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-49874",
"datePublished": "2023-12-12T08:17:53.947Z",
"dateReserved": "2023-12-05T08:04:35.043Z",
"dateUpdated": "2024-08-02T22:01:26.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2445
Vulnerability from cvelistv5
Published
2024-03-15 09:19
Modified
2024-08-01 19:11
Severity ?
EPSS score ?
Summary
Reflected XSS in Mattermost Jira plugin
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-18T18:53:41.753419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:11.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.4.2",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.1",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.5",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.9",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5.0"
},
{
"status": "unaffected",
"version": "9.4.3"
},
{
"status": "unaffected",
"version": "9.3.2"
},
{
"status": "unaffected",
"version": "9.2.6"
},
{
"status": "unaffected",
"version": "8.1.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.\u003c/p\u003e"
}
],
"value": "Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-15T09:19:50.127Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to versions 8.1.0, 9.3.2, 9.4.3, 9.5.0 or higher."
}
],
"value": "Update Mattermost to versions 8.1.0, 9.3.2, 9.4.3, 9.5.0 or higher."
}
],
"source": {
"advisory": "MMSA-2023-00260",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54921"
],
"discovery": "INTERNAL"
},
"title": "Reflected XSS in Mattermost Jira plugin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-2445",
"datePublished": "2024-03-15T09:19:50.127Z",
"dateReserved": "2024-03-14T11:40:19.218Z",
"dateUpdated": "2024-08-01T19:11:53.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6458
Vulnerability from cvelistv5
Published
2023-12-06 08:10
Modified
2024-08-02 08:28
Severity ?
EPSS score ?
Summary
Client side path traversal due to lack of route parameters validation
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:21.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.1.2"
},
{
"status": "unaffected",
"version": "9.0.3"
},
{
"status": "unaffected",
"version": "8.1.5"
},
{
"status": "unaffected",
"version": "7.8.14"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost webapp fails to validate\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eroute parameters in\u003c/span\u003e/\u0026lt;TEAM_NAME\u0026gt;/channels/\u0026lt;CHANNEL_NAME\u0026gt;\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eallowing an attacker to perform a client-side path traversal.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost webapp fails to validate\u00a0route parameters in/\u003cTEAM_NAME\u003e/channels/\u003cCHANNEL_NAME\u003e\u00a0allowing an attacker to perform a client-side path traversal.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-06T08:10:18.481Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.1.2, 9.0.3, 8.1.5, 7.8.14 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.1.2, 9.0.3, 8.1.5, 7.8.14 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00248",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53903"
],
"discovery": "EXTERNAL"
},
"title": "Client side path traversal due to lack of route parameters validation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-6458",
"datePublished": "2023-12-06T08:10:18.481Z",
"dateReserved": "2023-12-01T10:06:07.237Z",
"dateUpdated": "2024-08-02T08:28:21.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1337
Vulnerability from cvelistv5
Published
2022-04-13 17:06
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
OOM DoS in Mattermost image proxy
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:05.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "6.4.2",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"lessThan": "6.3.5",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"lessThan": "6.2.5",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"lessThan": "5.37.9",
"status": "affected",
"version": "5.37",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "The local image proxy must be enabled for this issue to become exploitable. This is a non-default configuration."
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Agniva de Sarker for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-13T17:06:00",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Mattermost version 6.4.2, 6.3.5, 6.2.5, or 5.37.9."
}
],
"source": {
"advisory": "MMSA-2022-0090",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41919"
],
"discovery": "INTERNAL"
},
"title": "OOM DoS in Mattermost image proxy",
"workarounds": [
{
"lang": "en",
"value": "Disable the image proxy or use an external proxy."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-1337",
"STATE": "PUBLIC",
"TITLE": "OOM DoS in Mattermost image proxy"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.4",
"version_value": "6.4.2"
},
{
"version_affected": "\u003c",
"version_name": "6.3",
"version_value": "6.3.5"
},
{
"version_affected": "\u003c",
"version_name": "6.2",
"version_value": "6.2.5"
},
{
"version_affected": "\u003c",
"version_name": "5.37",
"version_value": "5.37.9"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "The local image proxy must be enabled for this issue to become exploitable. This is a non-default configuration."
}
],
"credit": [
{
"lang": "eng",
"value": "Thanks to Agniva de Sarker for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to Mattermost version 6.4.2, 6.3.5, 6.2.5, or 5.37.9."
}
],
"source": {
"advisory": "MMSA-2022-0090",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41919"
],
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Disable the image proxy or use an external proxy."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-1337",
"datePublished": "2022-04-13T17:06:00",
"dateReserved": "2022-04-13T00:00:00",
"dateUpdated": "2024-08-03T00:03:05.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0708
Vulnerability from cvelistv5
Published
2022-02-21 17:49
Modified
2024-08-02 23:40
Severity ?
EPSS score ?
Summary
Team Creator's Email Address is disclosed to Team Members via one of the APIs
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost ",
"versions": [
{
"lessThanOrEqual": "6.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "6.2.2",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "6.1.2",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "5.37.7",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive \u0026 private information disclosure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-21T17:49:29",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"source": {
"advisory": "MMSA-2022-0082",
"defect": [
"https://mattermost.atlassian.net/browse/MM-40177"
],
"discovery": "EXTERNAL"
},
"title": "Team Creator\u0027s Email Address is disclosed to Team Members via one of the APIs",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-0708",
"STATE": "PUBLIC",
"TITLE": "Team Creator\u0027s Email Address is disclosed to Team Members via one of the APIs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.3.0"
},
{
"version_affected": "!\u003e=",
"version_value": "6.2.2"
},
{
"version_affected": "!\u003e=",
"version_value": "6.1.2"
},
{
"version_affected": "!\u003e=",
"version_value": "5.37.7"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive \u0026 private information disclosure."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"source": {
"advisory": "MMSA-2022-0082",
"defect": [
"https://mattermost.atlassian.net/browse/MM-40177"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-0708",
"datePublished": "2022-02-21T17:49:29",
"dateReserved": "2022-02-21T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-29221
Vulnerability from cvelistv5
Published
2024-04-05 08:15
Modified
2024-08-02 01:10
Severity ?
EPSS score ?
Summary
Invite ID available to team admins even without the "Add Members" permission
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T17:16:33.172848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:57:08.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.1",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.3",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.2",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.10",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.6.0"
},
{
"status": "unaffected",
"version": "9.5.2"
},
{
"status": "unaffected",
"version": "9.4.4"
},
{
"status": "unaffected",
"version": "9.3.3"
},
{
"status": "unaffected",
"version": "8.1.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "omar ahmed (omar-ahmed)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint\u0026nbsp;allowing\u0026nbsp;a team admin to get the invite ID of their team, thus allowing them to invite users, even if the \"Add Members\" permission was explicitly removed from team admins. \u003c/p\u003e"
}
],
"value": "Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint\u00a0allowing\u00a0a team admin to get the invite ID of their team, thus allowing them to invite users, even if the \"Add Members\" permission was explicitly removed from team admins. \n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T08:15:07.130Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00311",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56821"
],
"discovery": "EXTERNAL"
},
"title": "Invite ID available to team admins even without the \"Add Members\" permission",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-29221",
"datePublished": "2024-04-05T08:15:07.130Z",
"dateReserved": "2024-04-03T10:03:48.289Z",
"dateUpdated": "2024-08-02T01:10:54.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-13891
Vulnerability from cvelistv5
Published
2020-06-26 16:14
Modified
2024-08-04 12:32
Severity ?
EPSS score ?
Summary
An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-26T16:14:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mattermost.com/security-updates/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13891",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "CONFIRM",
"url": "https://mattermost.com/security-updates/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13891",
"datePublished": "2020-06-26T16:14:29",
"dateReserved": "2020-06-06T00:00:00",
"dateUpdated": "2024-08-04T12:32:14.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3586
Vulnerability from cvelistv5
Published
2023-07-17 15:25
Modified
2024-10-22 13:40
Severity ?
EPSS score ?
Summary
Disabling publicly-shared boards does not disable existing publicly available board links
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3586",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:32:51.306394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:40:29.225Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Pallinger (danipalli)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to disable\u0026nbsp;public Boards after the \"Enable Publicly-Shared Boards\" configuration option is disabled, resulting in\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003epreviously-shared\u0026nbsp;public Boards to remain accessible.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost fails to disable\u00a0public Boards after the \"Enable Publicly-Shared Boards\" configuration option is disabled, resulting in\u00a0previously-shared\u00a0public Boards to remain accessible.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:25:30.532Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.8.7,\u0026nbsp;v7.9.5,\u0026nbsp;v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.8.7,\u00a0v7.9.5,\u00a0v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00176",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51820"
],
"discovery": "EXTERNAL"
},
"title": " Disabling publicly-shared boards does not disable existing publicly available board links",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3586",
"datePublished": "2023-07-17T15:25:30.532Z",
"dateReserved": "2023-07-10T13:57:18.062Z",
"dateUpdated": "2024-10-22T13:40:29.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49809
Vulnerability from cvelistv5
Published
2023-12-12 08:20
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
Todo plugin gets crashed and disabled by member
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.051Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ben Schumacher"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:20:08.321Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e8.1.6,\u0026nbsp;\u003c/span\u003e9.2.0 or higher\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.6,\u00a09.2.0 or higher\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00227",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53424"
],
"discovery": "EXTERNAL"
},
"title": "Todo plugin gets crashed and disabled by member",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-49809",
"datePublished": "2023-12-12T08:20:08.321Z",
"dateReserved": "2023-12-05T08:04:35.026Z",
"dateUpdated": "2024-08-02T22:01:26.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-34152
Vulnerability from cvelistv5
Published
2024-05-26 13:28
Modified
2024-09-03 16:03
Severity ?
EPSS score ?
Summary
Playbook Run Metadata leak to Guest
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:51:11.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34152",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T19:25:06.988539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T16:03:29.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.7.0"
},
{
"status": "unaffected",
"version": "9.5.4"
},
{
"status": "unaffected",
"version": "9.6.2"
},
{
"status": "unaffected",
"version": "8.1.13"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.3, 9.6.x \u0026lt;= 9.6.1 and 8.1.x \u0026lt;= 8.1.12 fail to perform proper access control which allows a guest to\u0026nbsp;get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRuns GraphQL query request to the server\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.3, 9.6.x \u003c= 9.6.1 and 8.1.x \u003c= 8.1.12 fail to perform proper access control which allows a guest to\u00a0get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRuns GraphQL query request to the server"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-26T13:28:16.722Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.7.0, 9.5.4, 9.6.2, 8.1.13 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.7.0, 9.5.4, 9.6.2, 8.1.13 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00299",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56460"
],
"discovery": "EXTERNAL"
},
"title": "Playbook Run Metadata leak to Guest",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-34152",
"datePublished": "2024-05-26T13:28:16.722Z",
"dateReserved": "2024-05-23T10:57:59.911Z",
"dateUpdated": "2024-09-03T16:03:29.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6727
Vulnerability from cvelistv5
Published
2023-12-12 10:53
Modified
2024-08-02 08:35
Severity ?
EPSS score ?
Summary
Leak Inaccessible Playbook Information via Channel Action IDOR
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T10:53:02.127Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.6, 9.2.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.6, 9.2.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00236",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54129"
],
"discovery": "EXTERNAL"
},
"title": "Leak Inaccessible Playbook Information via Channel Action IDOR",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-6727",
"datePublished": "2023-12-12T10:53:02.127Z",
"dateReserved": "2023-12-12T10:48:31.631Z",
"dateUpdated": "2024-08-02T08:35:14.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39353
Vulnerability from cvelistv5
Published
2024-07-03 08:37
Modified
2024-08-02 04:26
Severity ?
EPSS score ?
Summary
RemoteClusterFrame payloads are audit logged in full
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39353",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T18:33:02.163506Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T18:33:08.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.306Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.8.0"
},
{
"lessThanOrEqual": "9.5.5",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.9.0"
},
{
"status": "unaffected",
"version": "9.8.1"
},
{
"status": "unaffected",
"version": "9.5.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T08:37:16.395Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.9.0, 9.8.1, 9.5.6 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.9.0, 9.8.1, 9.5.6 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00346",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58261"
],
"discovery": "INTERNAL"
},
"title": "RemoteClusterFrame payloads are audit logged in full",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39353",
"datePublished": "2024-07-03T08:37:16.395Z",
"dateReserved": "2024-07-01T10:22:11.603Z",
"dateUpdated": "2024-08-02T04:26:15.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21848
Vulnerability from cvelistv5
Published
2024-04-05 08:13
Modified
2024-08-01 22:27
Severity ?
EPSS score ?
Summary
Users maintain access to active call after being removed from a channel
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T15:46:42.823620Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T15:46:54.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.465Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.10",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5.0"
},
{
"status": "unaffected",
"version": "8.1.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Leandro Chaves (brdoors3)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel\u003c/p\u003e"
}
],
"value": "Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T08:13:01.713Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5.0, 8.1.11 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5.0, 8.1.11 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00256",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54545"
],
"discovery": "EXTERNAL"
},
"title": "Users maintain access to active call after being removed from a channel",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-21848",
"datePublished": "2024-04-05T08:13:01.713Z",
"dateReserved": "2024-04-03T10:03:48.279Z",
"dateUpdated": "2024-08-01T22:27:36.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2281
Vulnerability from cvelistv5
Published
2023-04-25 13:04
Modified
2024-08-02 06:19
Severity ?
EPSS score ?
Summary
Archiving a team broadcasts unsanitized data over WebSockets
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:14.118Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "7.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Espino Garcia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eWhen archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-25T13:04:42.287Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.9 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.9 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2022-00128",
"defect": [
"https://mattermost.atlassian.net/browse/MM-49034"
],
"discovery": "INTERNAL"
},
"title": "Archiving a team broadcasts unsanitized data over WebSockets",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2281",
"datePublished": "2023-04-25T13:04:42.287Z",
"dateReserved": "2023-04-25T13:04:22.071Z",
"dateUpdated": "2024-08-02T06:19:14.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-28949
Vulnerability from cvelistv5
Published
2024-04-05 08:14
Modified
2024-09-03 18:35
Severity ?
EPSS score ?
Summary
DoS via a large number of User Preferences
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.100Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T17:54:07.197489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T18:35:47.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.1",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.3",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.2",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.10",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.6.0"
},
{
"status": "unaffected",
"version": "9.5.2"
},
{
"status": "unaffected",
"version": "9.4.4"
},
{
"status": "unaffected",
"version": "9.3.3"
},
{
"status": "unaffected",
"version": "8.1.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don\u0027t limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.\u003c/p\u003e"
}
],
"value": "Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don\u0027t limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T08:14:09.878Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00274",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55198"
],
"discovery": "EXTERNAL"
},
"title": "DoS via a large number of User Preferences",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-28949",
"datePublished": "2024-04-05T08:14:09.878Z",
"dateReserved": "2024-04-03T10:03:48.285Z",
"dateUpdated": "2024-09-03T18:35:47.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2788
Vulnerability from cvelistv5
Published
2023-06-16 08:58
Modified
2024-08-02 06:33
Severity ?
EPSS score ?
Summary
Deactivated user can retain access using oauth2 api
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.778Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.10.0"
},
{
"status": "unaffected",
"version": "7.1.10"
},
{
"status": "unaffected",
"version": "7.8.5"
},
{
"status": "unaffected",
"version": "7.9.4"
},
{
"status": "unaffected",
"version": "7.10.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "whitehattushu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eMattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker\u0027s account is deactivated.\u003c/div\u003e"
}
],
"value": "Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker\u0027s account is deactivated.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T08:58:15.392Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version\u0026nbsp;7.1.10, 7.8.5, 7.9.4, 7.10.1\u0026nbsp;or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version\u00a07.1.10, 7.8.5, 7.9.4, 7.10.1\u00a0or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00163",
"defect": [
"https://mattermost.atlassian.net/browse/MM-50733"
],
"discovery": "EXTERNAL"
},
"title": "Deactivated user can retain access using oauth2 api",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2788",
"datePublished": "2023-06-16T08:58:15.392Z",
"dateReserved": "2023-05-18T11:58:33.058Z",
"dateUpdated": "2024-08-02T06:33:05.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1949
Vulnerability from cvelistv5
Published
2024-02-29 10:41
Modified
2024-08-01 18:56
Severity ?
EPSS score ?
Summary
A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T13:47:08.940395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:05.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.1",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5"
},
{
"status": "unaffected",
"version": "9.4.2"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Agniva De Sarker"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts\u0027 contents via carefully timed post creation while another user deletes posts.\u003c/p\u003e"
}
],
"value": "A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts\u0027 contents via carefully timed post creation while another user deletes posts.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T10:41:54.916Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5 ( 2024), 9.4.2, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5 ( 2024), 9.4.2, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00267",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53642"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-1949",
"datePublished": "2024-02-29T10:41:54.916Z",
"dateReserved": "2024-02-27T19:08:16.634Z",
"dateUpdated": "2024-08-01T18:56:22.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47858
Vulnerability from cvelistv5
Published
2024-01-02 09:54
Modified
2024-08-02 21:16
Severity ?
EPSS score ?
Summary
Details of archived public channels are leaked to members of another team
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:43.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.7"
},
{
"status": "unaffected",
"version": "9.0.5"
},
{
"status": "unaffected",
"version": "9.1.4"
},
{
"status": "unaffected",
"version": "9.2.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly verify the permissions needed for viewing archived public channels,\u0026nbsp;\u0026nbsp;allowing a member of one team to get details about the archived public channels of another team via the\u0026nbsp;GET /api/v4/teams/\u0026lt;team-id\u0026gt;/channels/deleted endpoint.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly verify the permissions needed for viewing archived public channels,\u00a0\u00a0allowing a member of one team to get details about the archived public channels of another team via the\u00a0GET /api/v4/teams/\u003cteam-id\u003e/channels/deleted endpoint.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T09:54:25.057Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.7, 9.0.5, 9.1.4, 9.2.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.7, 9.0.5, 9.1.4, 9.2.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00269",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55005"
],
"discovery": "EXTERNAL"
},
"title": "Details of archived public channels are leaked to members of another team",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-47858",
"datePublished": "2024-01-02T09:54:25.057Z",
"dateReserved": "2023-12-21T08:00:43.436Z",
"dateUpdated": "2024-08-02T21:16:43.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1887
Vulnerability from cvelistv5
Published
2024-02-29 08:05
Modified
2024-08-07 17:38
Severity ?
EPSS score ?
Summary
Public channel post content accessible without membership when compliance export is enabled
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.552Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T17:30:33.578956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T17:38:09.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.4.0"
},
{
"status": "unaffected",
"version": "9.3.1"
},
{
"status": "unaffected",
"version": "9.2.5"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "n/a"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of the public channel to fetch the posts, which will not be audited in the compliance export.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of the public channel to fetch the posts, which will not be audited in the compliance export.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T08:05:29.776Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.4,0, 9.3.1, 9.2.5, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.4,0, 9.3.1, 9.2.5, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00221",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53278"
],
"discovery": "INTERNAL"
},
"title": "Public channel post content accessible without membership when compliance export is enabled",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-1887",
"datePublished": "2024-02-29T08:05:29.776Z",
"dateReserved": "2024-02-26T09:14:30.337Z",
"dateUpdated": "2024-08-07T17:38:09.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-42497
Vulnerability from cvelistv5
Published
2024-08-22 15:17
Modified
2024-08-22 15:31
Severity ?
EPSS score ?
Summary
Insufficient permissions checks on teams
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T15:27:30.908684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T15:31:45.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.9.2"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
},
{
"status": "unaffected",
"version": "9.8.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0, 9.8.x \u0026lt;= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0, 9.8.x \u003c= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T15:17:11.468Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00353",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58547"
],
"discovery": "EXTERNAL"
},
"title": "Insufficient permissions checks on teams",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-42497",
"datePublished": "2024-08-22T15:17:11.468Z",
"dateReserved": "2024-08-16T17:27:00.329Z",
"dateUpdated": "2024-08-22T15:31:45.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-24988
Vulnerability from cvelistv5
Published
2024-02-29 08:06
Modified
2024-08-01 23:36
Severity ?
EPSS score ?
Summary
Excessive resource consumption when sending long emoji names in user custom status
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24988",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-01T18:32:28.384741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:43:03.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.4.0"
},
{
"status": "unaffected",
"version": "9.3.1"
},
{
"status": "unaffected",
"version": "9.2.5"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Gian Klug (coderion)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send\u0026nbsp;multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send\u00a0multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T08:06:28.334Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.4.0, 9.3.1, 9.2.5, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.4.0, 9.3.1, 9.2.5, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00281",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55467"
],
"discovery": "EXTERNAL"
},
"title": "Excessive resource consumption when sending long emoji names in user custom status",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-24988",
"datePublished": "2024-02-29T08:06:28.334Z",
"dateReserved": "2024-02-26T08:14:42.970Z",
"dateUpdated": "2024-08-01T23:36:21.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-48268
Vulnerability from cvelistv5
Published
2023-11-27 09:07
Modified
2024-08-02 21:23
Severity ?
EPSS score ?
Summary
Denial of Service via Board Import Zip Bomb
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:23:39.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.1.1"
},
{
"status": "unaffected",
"version": "9.0.2"
},
{
"status": "unaffected",
"version": "7.8.13"
},
{
"status": "unaffected",
"version": "8.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to\u0026nbsp;limit the amount of data extracted from compressed archives during board import in Mattermost Boards\u0026nbsp;allowing \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ean attacker t\u003c/span\u003eo consume excessive resources, possibly leading to Denial of Service, by\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;importing a board using a specially crafted zip (zip bomb).\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost fails to\u00a0limit the amount of data extracted from compressed archives during board import in Mattermost Boards\u00a0allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by\u00a0importing a board using a specially crafted zip (zip bomb).\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T09:07:29.918Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.1.1, 9.0.2, 7.8.13, 8.1.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.1.1, 9.0.2, 7.8.13, 8.1.4 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00218",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53231"
],
"discovery": "EXTERNAL"
},
"title": "Denial of Service via Board Import Zip Bomb",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-48268",
"datePublished": "2023-11-27T09:07:29.918Z",
"dateReserved": "2023-11-22T11:18:57.625Z",
"dateUpdated": "2024-08-02T21:23:39.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23319
Vulnerability from cvelistv5
Published
2024-02-09 14:42
Modified
2024-08-01 22:59
Severity ?
EPSS score ?
Summary
CSRF issue allows disconnecting a user's Jira connection through a simple post message (Jira Plugin)
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23319",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T14:55:39.238454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:45:50.541Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rohitesh Gupta"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user\u0027s\u0026nbsp;Jira connection in Mattermost only by viewing the message."
}
],
"value": "Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user\u0027s\u00a0Jira connection in Mattermost only by viewing the message."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T14:42:22.126Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.8 or higher. Alternatively, update the Mattermost Jira Plugin to versions v4.1.0\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.8 or higher. Alternatively, update the Mattermost Jira Plugin to versions v4.1.0\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00194",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51921"
],
"discovery": "INTERNAL"
},
"title": "CSRF issue allows disconnecting a user\u0027s Jira connection through a simple post message (Jira Plugin)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-23319",
"datePublished": "2024-02-09T14:42:22.126Z",
"dateReserved": "2024-01-30T10:23:06.712Z",
"dateUpdated": "2024-08-01T22:59:32.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-29215
Vulnerability from cvelistv5
Published
2024-05-26 13:33
Modified
2024-08-02 01:10
Severity ?
EPSS score ?
Summary
Slash commands run in channel without channel membership via playbook task commands
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-05T20:42:10.469691Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T20:43:29.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.568Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.1",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.8.0"
},
{
"status": "unaffected",
"version": "9.5.4"
},
{
"status": "unaffected",
"version": "9.7.2"
},
{
"status": "unaffected",
"version": "9.6.2"
},
{
"status": "unaffected",
"version": "8.1.13"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.3, 9.7.x \u0026lt;= 9.7.1, 9.6.x \u0026lt;= 9.6.1, 8.1.x \u0026lt;= 8.1.12 fail to enforce proper access control which allows a user to run a slash command in a channel they are not a member of via linking a playbook run to that channel and running a slash command as a playbook task command.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.3, 9.7.x \u003c= 9.7.1, 9.6.x \u003c= 9.6.1, 8.1.x \u003c= 8.1.12 fail to enforce proper access control which allows a user to run a slash command in a channel they are not a member of via linking a playbook run to that channel and running a slash command as a playbook task command."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-26T13:33:41.791Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.8.0, 9.5.4, 9.7.2, 9.6.2, 8.1.13 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.8.0, 9.5.4, 9.7.2, 9.6.2, 8.1.13 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00300",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56342"
],
"discovery": "INTERNAL"
},
"title": "Slash commands run in channel without channel membership via playbook task commands",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-29215",
"datePublished": "2024-05-26T13:33:41.791Z",
"dateReserved": "2024-05-23T10:57:59.897Z",
"dateUpdated": "2024-08-02T01:10:54.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1775
Vulnerability from cvelistv5
Published
2023-03-31 11:26
Modified
2024-08-02 05:57
Severity ?
EPSS score ?
Summary
Unsanitized events sent over Websocket to regular users in a High Availability environment
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:25.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.7.1",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.5",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThan": "7.8.0",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.0"
},
{
"status": "unaffected",
"version": "7.7.2"
},
{
"status": "unaffected",
"version": "7.1.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kyriakos Ziakoulis"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Harrison Healey"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eWhen running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-31T11:26:21.640Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.8.0, v7.1.6, v7.7.2, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00138",
"defect": [
"https://mattermost.atlassian.net/browse/MM-49981"
],
"discovery": "INTERNAL"
},
"title": "Unsanitized events sent over Websocket to regular users in a High Availability environment",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-1775",
"datePublished": "2023-03-31T11:26:21.640Z",
"dateReserved": "2023-03-31T11:26:09.249Z",
"dateUpdated": "2024-08-02T05:57:25.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2366
Vulnerability from cvelistv5
Published
2022-07-11 14:08
Modified
2024-08-03 00:32
Severity ?
EPSS score ?
Summary
Incorrect defaults can cause attackers to bypass rate limitations
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "6.7.x 6.7.0"
},
{
"lessThanOrEqual": "6.3.8",
"status": "affected",
"version": "6.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "6.5.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.6.1",
"status": "affected",
"version": "6.6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Adam Pritchard for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-11T14:08:50",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"source": {
"advisory": " MMSA-2022-00109",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42379"
],
"discovery": "EXTERNAL"
},
"title": "Incorrect defaults can cause attackers to bypass rate limitations ",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-2366",
"STATE": "PUBLIC",
"TITLE": "Incorrect defaults can cause attackers to bypass rate limitations "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "6.x",
"version_value": "6.3.8"
},
{
"version_affected": "\u003c=",
"version_name": "6.5.x",
"version_value": "6.5.1"
},
{
"version_affected": "\u003c=",
"version_name": "6.6.x",
"version_value": "6.6.1"
},
{
"version_affected": "=",
"version_name": "6.7.x",
"version_value": "6.7.0"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Adam Pritchard for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276 Incorrect Default Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"source": {
"advisory": " MMSA-2022-00109",
"defect": [
"https://mattermost.atlassian.net/browse/MM-42379"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-2366",
"datePublished": "2022-07-11T14:08:50",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-08-03T00:32:09.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-32939
Vulnerability from cvelistv5
Published
2024-08-22 06:29
Modified
2024-08-22 13:26
Severity ?
EPSS score ?
Summary
Email addresses of remote users visible in props regardless of server settings
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T13:26:39.917242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T13:26:55.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.9.2"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
},
{
"status": "unaffected",
"version": "9.8.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0, 9.8.x \u0026lt;= 9.8.2, when shared channels are enabled, fail to redact remote users\u0027 original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server.\"\u003c/p\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0, 9.8.x \u003c= 9.8.2, when shared channels are enabled, fail to redact remote users\u0027 original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server.\""
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T06:29:01.203Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00340",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58246"
],
"discovery": "INTERNAL"
},
"title": "Email addresses of remote users visible in props regardless of server settings",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-32939",
"datePublished": "2024-08-22T06:29:01.203Z",
"dateReserved": "2024-08-20T16:09:35.875Z",
"dateUpdated": "2024-08-22T13:26:55.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36255
Vulnerability from cvelistv5
Published
2024-05-26 13:32
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
Post actions can run playbook checklist task commands
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.5.3:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.6.1:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "9.6.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:8.1.12:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T16:55:50.413186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:47:35.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:03.667Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.7.0"
},
{
"status": "unaffected",
"version": "9.5.4"
},
{
"status": "unaffected",
"version": "9.6.2"
},
{
"status": "unaffected",
"version": "8.1.13"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.3, 9.6.x \u0026lt;= 9.6.1 and 8.1.x \u0026lt;= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly runs a slash command in some arbitrary channel.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.3, 9.6.x \u003c= 9.6.1 and 8.1.x \u003c= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly runs a slash command in some arbitrary channel."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-26T13:32:56.087Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.7.0, 9.5.4, 9.6.2, 8.1.13 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.7.0, 9.5.4, 9.6.2, 8.1.13 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00301",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56346"
],
"discovery": "INTERNAL"
},
"title": "Post actions can run playbook checklist task commands",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-36255",
"datePublished": "2024-05-26T13:32:56.087Z",
"dateReserved": "2024-05-23T10:57:59.907Z",
"dateUpdated": "2024-08-02T03:37:03.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36492
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-05 16:57
Severity ?
EPSS score ?
Summary
Existing local user overwritten by malicious remote
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T16:56:57.857020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T16:57:11.289Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.1",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user. \u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:01.393Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00341",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58248"
],
"discovery": "INTERNAL"
},
"title": "Existing local user overwritten by malicious remote",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-36492",
"datePublished": "2024-08-01T14:05:01.393Z",
"dateReserved": "2024-07-23T17:55:45.350Z",
"dateUpdated": "2024-08-05T16:57:11.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-45843
Vulnerability from cvelistv5
Published
2024-09-26 08:03
Modified
2024-09-26 13:11
Severity ?
EPSS score ?
Summary
Weak SSRF Filtering
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T13:11:45.717316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T13:11:54.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.8",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.8 fail to include the\u0026nbsp;metadata endpoints of\u0026nbsp;Oracle Cloud and Alibaba in the SSRF denylist, which allows\u0026nbsp;an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.8 fail to include the\u00a0metadata endpoints of\u00a0Oracle Cloud and Alibaba in the SSRF denylist, which allows\u00a0an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T08:03:41.827Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.5.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.5.9 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00369",
"defect": [
"https://mattermost.atlassian.net/browse/MM-59025"
],
"discovery": "EXTERNAL"
},
"title": "Weak SSRF Filtering",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-45843",
"datePublished": "2024-09-26T08:03:41.827Z",
"dateReserved": "2024-09-23T07:55:36.370Z",
"dateUpdated": "2024-09-26T13:11:54.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-5272
Vulnerability from cvelistv5
Published
2024-05-26 13:29
Modified
2024-08-01 21:11
Severity ?
EPSS score ?
Summary
Run Details leak to guest via webhook event "custom_playbooks_playbook_run_updated"
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "9.6.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "unaffected",
"version": "9.7.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "unaffected",
"version": "9.5.4"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "unaffected",
"version": "9.6.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "unaffected",
"version": "8.1.13"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T14:54:17.605429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:02:20.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:11:12.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.12",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.7.0"
},
{
"status": "unaffected",
"version": "9.5.4"
},
{
"status": "unaffected",
"version": "9.6.2"
},
{
"status": "unaffected",
"version": "8.1.13"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.3, 9.6.x \u0026lt;= 9.6.1, 8.1.x \u0026lt;= 8.1.12 fail\u0026nbsp;to restrict the audience of the \"custom_playbooks_playbook_run_updated\" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished. \u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.3, 9.6.x \u003c= 9.6.1, 8.1.x \u003c= 8.1.12 fail\u00a0to restrict the audience of the \"custom_playbooks_playbook_run_updated\" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-26T13:29:57.813Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.7.0, 9.5.4, 9.6.2, 8.1.13 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.7.0, 9.5.4, 9.6.2, 8.1.13 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00298",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56462"
],
"discovery": "EXTERNAL"
},
"title": "Run Details leak to guest via webhook event \"custom_playbooks_playbook_run_updated\"",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-5272",
"datePublished": "2024-05-26T13:29:57.813Z",
"dateReserved": "2024-05-23T14:50:39.877Z",
"dateUpdated": "2024-08-01T21:11:12.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5331
Vulnerability from cvelistv5
Published
2023-10-09 10:40
Modified
2024-09-05 19:47
Severity ?
EPSS score ?
Summary
File Information Leak via IDOR in file_id in Draft Posts
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:08.561Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T19:46:54.511962Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T19:47:23.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.11"
},
{
"status": "unaffected",
"version": "8.0.3"
},
{
"status": "unaffected",
"version": "8.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly check the creator of an attached file when adding the file to a draft post,\u0026nbsp;potentially exposing unauthorized file information.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly check the creator of an attached file when adding the file to a draft post,\u00a0potentially exposing unauthorized file information.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T10:40:26.436Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.11, 8.0.3, 8.1.2\u0026nbsp;or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.11, 8.0.3, 8.1.2\u00a0or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00234",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53948"
],
"discovery": "EXTERNAL"
},
"title": "File Information Leak via IDOR in file_id in Draft Posts",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5331",
"datePublished": "2023-10-09T10:40:26.436Z",
"dateReserved": "2023-10-02T11:06:18.494Z",
"dateUpdated": "2024-09-05T19:47:23.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-37182
Vulnerability from cvelistv5
Published
2024-06-14 08:39
Modified
2024-08-02 03:50
Severity ?
EPSS score ?
Summary
Lack of permissions prompting when opening external URLs
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-15T20:34:10.739280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-15T20:34:22.877Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.403Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "5.7.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.8.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "gee-netics (gee-netics)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Desktop App versions \u0026lt;=5.7.0 fail to correctly prompt for permission when opening external URLs which allows\u0026nbsp;a remote attacker to force a victim over the Internet to run arbitrary programs on the victim\u0027s system\u0026nbsp;via custom URI schemes.\u003c/p\u003e"
}
],
"value": "Mattermost Desktop App versions \u003c=5.7.0 fail to correctly prompt for permission when opening external URLs which allows\u00a0a remote attacker to force a victim over the Internet to run arbitrary programs on the victim\u0027s system\u00a0via custom URI schemes."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-14T08:39:19.578Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Desktop App to versions 5.8.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Desktop App to versions 5.8.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00335",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58088"
],
"discovery": "EXTERNAL"
},
"title": "Lack of permissions prompting when opening external URLs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-37182",
"datePublished": "2024-06-14T08:39:19.578Z",
"dateReserved": "2024-06-14T08:22:33.365Z",
"dateUpdated": "2024-08-02T03:50:55.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23493
Vulnerability from cvelistv5
Published
2024-02-29 08:02
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
Team associated AD/LDAP Groups Leaked due to missing authorization
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-06T16:06:51.577325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:45:38.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:24.717Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5.0"
},
{
"status": "unaffected",
"version": "9.4.2"
},
{
"status": "unaffected",
"version": "9.3.1"
},
{
"status": "unaffected",
"version": "9.2.5"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly authorize the requests fetching\u0026nbsp;team associated AD/LDAP groups, allowing a user to fetch details of\u0026nbsp;AD/LDAP groups of a team that they are not a member of.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly authorize the requests fetching\u00a0team associated AD/LDAP groups, allowing a user to fetch details of\u00a0AD/LDAP groups of a team that they are not a member of.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T08:02:32.128Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5.0, 9.4.2, 9.3.1, 9.2.5, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5.0, 9.4.2, 9.3.1, 9.2.5, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00284",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55216"
],
"discovery": "EXTERNAL"
},
"title": " Team associated AD/LDAP Groups Leaked due to missing authorization",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-23493",
"datePublished": "2024-02-29T08:02:32.128Z",
"dateReserved": "2024-02-26T08:14:42.964Z",
"dateUpdated": "2024-08-01T23:06:24.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-4108
Vulnerability from cvelistv5
Published
2023-08-11 06:12
Modified
2024-10-03 20:27
Severity ?
EPSS score ?
Summary
Audit logging fails to sanitize post metadata
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:11.944Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4108",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T20:27:41.174946Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T20:27:59.225Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.8"
},
{
"status": "unaffected",
"version": "7.9.6"
},
{
"status": "unaffected",
"version": "7.10.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jo Astoreca"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to sanitize post metadata during audit logging resulting in p\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eermalinks contents being logged\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-11T06:12:33.792Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.8, 7.9.6, 7.10.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.8, 7.9.6, 7.10.4 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00214",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53157"
],
"discovery": "EXTERNAL"
},
"title": "Audit logging fails to sanitize post metadata",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-4108",
"datePublished": "2023-08-11T06:12:33.792Z",
"dateReserved": "2023-08-02T15:36:24.635Z",
"dateUpdated": "2024-10-03T20:27:59.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6547
Vulnerability from cvelistv5
Published
2023-12-12 08:22
Modified
2024-08-02 08:35
Severity ?
EPSS score ?
Summary
Playbooks access/modification by removed team member
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Leandro Chaves (brdoors3)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:22:41.419Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.6, 9.2.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.6, 9.2.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00271",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54988"
],
"discovery": "EXTERNAL"
},
"title": "Playbooks access/modification by removed team member",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-6547",
"datePublished": "2023-12-12T08:22:41.419Z",
"dateReserved": "2023-12-06T08:47:19.482Z",
"dateUpdated": "2024-08-02T08:35:14.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-46701
Vulnerability from cvelistv5
Published
2023-12-12 08:19
Modified
2024-08-02 20:53
Severity ?
EPSS score ?
Summary
Inaccessible Post Information Leak via Run Timeline IDOR
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.920Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.2.2"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.0.4"
},
{
"status": "unaffected",
"version": "9.1.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID\u003c/p\u003e"
}
],
"value": "Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:19:22.274Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.6, 9.0.4, 9.1.3,\u0026nbsp;9.2.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.6, 9.0.4, 9.1.3,\u00a09.2.2 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00237",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54148"
],
"discovery": "EXTERNAL"
},
"title": "Inaccessible Post Information Leak via Run Timeline IDOR",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-46701",
"datePublished": "2023-12-12T08:19:22.274Z",
"dateReserved": "2023-12-05T08:22:34.302Z",
"dateUpdated": "2024-08-02T20:53:20.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-37864
Vulnerability from cvelistv5
Published
2022-01-18 16:52
Modified
2024-08-04 01:30
Severity ?
EPSS score ?
Summary
Users can view the contents of an archived channel when access is explicitly denied by the system admin
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:30:09.016Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost ",
"vendor": "Mattermost ",
"versions": [
{
"lessThan": "6.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-18T16:52:19",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"source": {
"advisory": "MMSA-2021-0076",
"defect": [
"https://mattermost.atlassian.net/browse/MM-40159"
],
"discovery": "EXTERNAL"
},
"title": "Users can view the contents of an archived channel when access is explicitly denied by the system admin",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2021-37864",
"STATE": "PUBLIC",
"TITLE": "Users can view the contents of an archived channel when access is explicitly denied by the system admin"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.2"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"source": {
"advisory": "MMSA-2021-0076",
"defect": [
"https://mattermost.atlassian.net/browse/MM-40159"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2021-37864",
"datePublished": "2022-01-18T16:52:19",
"dateReserved": "2021-08-02T00:00:00",
"dateUpdated": "2024-08-04T01:30:09.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-4045
Vulnerability from cvelistv5
Published
2022-11-23 06:14
Modified
2024-08-03 01:27
Severity ?
EPSS score ?
Summary
Authenticated user could send multiple requests containing a parameter which could fetch a large amount of data and can crash a Mattermost server
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "7.3.*",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DummyThatMatters"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints\u0026nbsp;which could fetch a large amount of data.\u0026nbsp;\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints\u00a0which could fetch a large amount of data.\u00a0\n"
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-23T06:14:19.131Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.4.0 or higher."
}
],
"value": "Update Mattermost to version v7.4.0 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00124",
"defect": [
"https://mattermost.atlassian.net/browse/MM-45800"
],
"discovery": "EXTERNAL"
},
"title": "Authenticated user could send multiple requests containing a parameter which could fetch a large amount of data and can crash a Mattermost server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-4045",
"datePublished": "2022-11-23T06:14:19.131Z",
"dateReserved": "2022-11-17T05:22:41.207Z",
"dateUpdated": "2024-08-03T01:27:54.347Z",
"requesterUserId": "0a729610-c22f-40e3-9816-673e47743f12",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2446
Vulnerability from cvelistv5
Published
2024-03-15 09:11
Modified
2024-08-01 19:11
Severity ?
EPSS score ?
Summary
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2446",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T17:53:09.280852Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:29:50.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.477Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.4.2",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.1",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.5",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.9",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5.0"
},
{
"status": "unaffected",
"version": "9.4.3"
},
{
"status": "unaffected",
"version": "9.3.2"
},
{
"status": "unaffected",
"version": "9.2.6"
},
{
"status": "unaffected",
"version": "8.1.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.\u003c/p\u003e"
}
],
"value": "Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-15T09:11:21.446Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5, 9.4.3, 9.3.2, 9.2.6, 8.1.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5, 9.4.3, 9.3.2, 9.2.6, 8.1.10 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00296",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56372"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-2446",
"datePublished": "2024-03-15T09:11:21.446Z",
"dateReserved": "2024-03-14T12:09:07.848Z",
"dateUpdated": "2024-08-01T19:11:53.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-47145
Vulnerability from cvelistv5
Published
2024-09-26 08:01
Modified
2024-09-26 13:12
Severity ?
EPSS score ?
Summary
Unauthorized access on archived channels via file links
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T13:12:44.134084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T13:12:52.240Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.8",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows\u0026nbsp;an attacker to view posts and files of archived channels via file links.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows\u00a0an attacker to view posts and files of archived channels via file links."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T08:01:48.199Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.5.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.5.9 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00358",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58522"
],
"discovery": "EXTERNAL"
},
"title": "Unauthorized access on archived channels via file links",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-47145",
"datePublished": "2024-09-26T08:01:48.199Z",
"dateReserved": "2024-09-23T07:55:36.353Z",
"dateUpdated": "2024-09-26T13:12:52.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2793
Vulnerability from cvelistv5
Published
2023-06-16 09:02
Modified
2024-08-02 06:33
Severity ?
EPSS score ?
Summary
Stack exhaustion in PreparePostForClientWithEmbedsAndImages
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.591Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.10.1"
},
{
"status": "unaffected",
"version": "7.8.3"
},
{
"status": "unaffected",
"version": "7.9.2"
},
{
"status": "affected",
"version": "7.10.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eMattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message.\u003c/div\u003e"
}
],
"value": "Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T09:02:34.751Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version\u0026nbsp; v7.8.3, v7.9.2, 7.10.1 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version\u00a0 v7.8.3, v7.9.2, 7.10.1 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00165",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51060"
],
"discovery": "EXTERNAL"
},
"title": "Stack exhaustion in PreparePostForClientWithEmbedsAndImages",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2793",
"datePublished": "2023-06-16T09:02:34.751Z",
"dateReserved": "2023-05-18T12:17:17.551Z",
"dateUpdated": "2024-08-02T06:33:05.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2791
Vulnerability from cvelistv5
Published
2023-06-16 08:59
Modified
2024-08-02 06:33
Severity ?
EPSS score ?
Summary
Playbooks lets you edit arbitrary posts
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "7.9.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.8.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.7.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.10.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.9.2"
},
{
"status": "unaffected",
"version": "7.8.3"
},
{
"status": "unaffected",
"version": "7.7.4"
},
{
"status": "unaffected",
"version": "7.10.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eWhen creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post.\u003c/div\u003e"
}
],
"value": "When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T08:59:16.854Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.7.4, v7.8.3, v7.9.2, v7.10.1, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.7.4, v7.8.3, v7.9.2, v7.10.1, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00144",
"defect": [
"https://mattermost.atlassian.net/browse/MM-50737"
],
"discovery": "INTERNAL"
},
"title": "Playbooks lets you edit arbitrary posts",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2791",
"datePublished": "2023-06-16T08:59:16.854Z",
"dateReserved": "2023-05-18T12:09:01.562Z",
"dateUpdated": "2024-08-02T06:33:05.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23488
Vulnerability from cvelistv5
Published
2024-02-29 08:03
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
Files of archived channels accessible with the “Allow users to view archived channels” option disabled
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-01T16:30:02.570622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:45:42.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:24.721Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5.0"
},
{
"status": "unaffected",
"version": "9.4.2"
},
{
"status": "unaffected",
"version": "8.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the \u201cAllow users to view archived channels\u201d option is disabled.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the \u201cAllow users to view archived channels\u201d option is disabled.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T08:04:33.155Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5.0, 9.4.2, 8.1.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5.0, 9.4.2, 8.1.9 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00292",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56173"
],
"discovery": "EXTERNAL"
},
"title": "Files of archived channels accessible with the \u201cAllow users to view archived channels\u201d option disabled",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-23488",
"datePublished": "2024-02-29T08:03:20.744Z",
"dateReserved": "2024-02-26T08:14:42.978Z",
"dateUpdated": "2024-08-01T23:06:24.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2450
Vulnerability from cvelistv5
Published
2024-03-15 09:12
Modified
2024-08-02 20:35
Severity ?
EPSS score ?
Summary
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.648Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"lessThan": "9.6.0",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThan": "9.4.3",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "9.3.2",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.2.6",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThan": "8.1.10",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2450",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T20:31:33.867157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T20:35:32.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.5.0"
},
{
"lessThanOrEqual": "9.4.2",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.1",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.5",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.9",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.6.0"
},
{
"status": "unaffected",
"version": "9.4.3"
},
{
"status": "unaffected",
"version": "9.5.1"
},
{
"status": "unaffected",
"version": "9.3.2"
},
{
"status": "unaffected",
"version": "9.2.6"
},
{
"status": "unaffected",
"version": "8.1.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.\u003c/p\u003e"
}
],
"value": "Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-15T09:12:28.880Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.6, 9.4.3, 9.5.1, 9.3.2, 9.2.6, 8.1.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.6, 9.4.3, 9.5.1, 9.3.2, 9.2.6, 8.1.10 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00309",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56751"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-2450",
"datePublished": "2024-03-15T09:12:28.880Z",
"dateReserved": "2024-03-14T12:57:05.854Z",
"dateUpdated": "2024-08-02T20:35:32.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-41162
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-02 15:01
Severity ?
EPSS score ?
Summary
Malicious remote can make an arbitrary local channel read-only
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T14:45:25.763522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T15:01:29.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.1",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5 and 9.8.x \u0026lt;= 9.8.1 fail to disallow\u0026nbsp;the modification of local channels by a remote, when shared channels are enabled, which allows\u0026nbsp;a malicious remote to make an arbitrary local channel read-only.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5 and 9.8.x \u003c= 9.8.1 fail to disallow\u00a0the modification of local channels by a remote, when shared channels are enabled, which allows\u00a0a malicious remote to make an arbitrary local channel read-only."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:09.501Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00330",
"defect": [
"https://mattermost.atlassian.net/browse/MM-57868"
],
"discovery": "INTERNAL"
},
"title": "Malicious remote can make an arbitrary local channel read-only",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-41162",
"datePublished": "2024-08-01T14:05:09.501Z",
"dateReserved": "2024-07-23T17:55:45.298Z",
"dateUpdated": "2024-08-02T15:01:29.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-4105
Vulnerability from cvelistv5
Published
2023-08-11 06:11
Modified
2024-10-01 20:31
Severity ?
EPSS score ?
Summary
Attachment of deleted message in a thread remains accessible and downloadable
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:12.027Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T20:24:15.469462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T20:31:10.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.8"
},
{
"status": "unaffected",
"version": "7.9.6"
},
{
"status": "unaffected",
"version": "7.10.4 "
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message\u003c/p\u003e"
}
],
"value": "Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-11T06:11:57.438Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost Server to versions\u0026nbsp;7.10.4,\u0026nbsp;7.9.6,\u0026nbsp;7.8.8 or higher"
}
],
"value": "Update Mattermost Server to versions\u00a07.10.4,\u00a07.9.6,\u00a07.8.8 or higher"
}
],
"source": {
"advisory": "MMSA-2023-00179",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52414"
],
"discovery": "EXTERNAL"
},
"title": "Attachment of deleted message in a thread remains accessible and downloadable ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-4105",
"datePublished": "2023-08-11T06:11:57.438Z",
"dateReserved": "2023-08-02T14:51:36.949Z",
"dateUpdated": "2024-10-01T20:31:10.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-32046
Vulnerability from cvelistv5
Published
2024-04-26 08:24
Modified
2024-08-02 02:06
Severity ?
EPSS score ?
Summary
Detailed error discloses full file path with dev mode off
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.6.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.5.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.4.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "8.1.x"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32046",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-26T19:11:02.512965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:31.884Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:06:42.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.6.0"
},
{
"lessThanOrEqual": "9.5.2",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.4",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.11",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.7.0"
},
{
"status": "unaffected",
"version": "9.6.1"
},
{
"status": "unaffected",
"version": "9.5.3"
},
{
"status": "unaffected",
"version": "9.4.5"
},
{
"status": "unaffected",
"version": "8.1.12"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Grzegorz Misiun from ING"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.6.x \u0026lt;= 9.6.0, 9.5.x \u0026lt;= 9.5.2, 9.4.x \u0026lt;= 9.4.4 and 8.1.x \u0026lt;= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.6.x \u003c= 9.6.0, 9.5.x \u003c= 9.5.2, 9.4.x \u003c= 9.4.4 and 8.1.x \u003c= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T08:24:50.696Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00317",
"defect": [
"https://mattermost.atlassian.net/browse/MM-57069"
],
"discovery": "EXTERNAL"
},
"title": "Detailed error discloses full file path with dev mode off",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-32046",
"datePublished": "2024-04-26T08:24:50.696Z",
"dateReserved": "2024-04-10T09:53:47.691Z",
"dateUpdated": "2024-08-02T02:06:42.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-6428
Vulnerability from cvelistv5
Published
2024-07-03 08:39
Modified
2024-08-01 21:41
Severity ?
EPSS score ?
Summary
Limited DoS due to permitting creating users with user-defined IDs
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.8.0"
},
{
"lessThanOrEqual": "9.7.4",
"status": "affected",
"version": "9.7.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.6.2",
"status": "affected",
"version": "9.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.5.5",
"status": "affected",
"version": "9.5.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.9.0"
},
{
"status": "unaffected",
"version": "9.8.1"
},
{
"status": "unaffected",
"version": "9.7.5"
},
{
"status": "unaffected",
"version": "9.6.3"
},
{
"status": "unaffected",
"version": "9.5.6"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T13:14:16.920289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T13:25:17.295Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:41:03.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.8.0"
},
{
"lessThanOrEqual": "9.7.4",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.2",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.5",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.9.0"
},
{
"status": "unaffected",
"version": "9.8.1"
},
{
"status": "unaffected",
"version": "9.7.5"
},
{
"status": "unaffected",
"version": "9.6.3"
},
{
"status": "unaffected",
"version": "9.5.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost versions 9.8.0, 9.7.x \u0026lt;= 9.7.4, 9.6.x \u0026lt;= 9.6.2, 9.5.x \u0026lt;= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working. "
}
],
"value": "Mattermost versions 9.8.0, 9.7.x \u003c= 9.7.4, 9.6.x \u003c= 9.6.2, 9.5.x \u003c= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T08:44:34.225Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.9.0, 9.8.1, 9.7.5, 9.6.3, 9.5.6 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.9.0, 9.8.1, 9.7.5, 9.6.3, 9.5.6 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00348",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58278"
],
"discovery": "INTERNAL"
},
"title": "Limited DoS due to permitting creating users with user-defined IDs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-6428",
"datePublished": "2024-07-03T08:39:28.121Z",
"dateReserved": "2024-07-01T12:15:48.662Z",
"dateUpdated": "2024-08-01T21:41:03.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1402
Vulnerability from cvelistv5
Published
2024-02-09 15:09
Modified
2024-08-01 18:40
Severity ?
EPSS score ?
Summary
Denial of service in mattermost mobile apps and server via emoji reactions
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1402",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T17:55:23.358517Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:45.030Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:20.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.3.0"
},
{
"status": "unaffected",
"version": "9.2.4"
},
{
"status": "unaffected",
"version": "9.1.5"
},
{
"status": "unaffected",
"version": "8.1.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Gian Klug (coderion)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-30T12:07:15.141Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.3.0, 9.2.4, 9.1.5, 8.1.8 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.3.0, 9.2.4, 9.1.5, 8.1.8 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00276",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55142"
],
"discovery": "EXTERNAL"
},
"title": "Denial of service in mattermost mobile apps and server via emoji reactions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-1402",
"datePublished": "2024-02-09T15:09:18.157Z",
"dateReserved": "2024-02-09T14:53:28.621Z",
"dateUpdated": "2024-08-01T18:40:20.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-4183
Vulnerability from cvelistv5
Published
2024-04-26 08:25
Modified
2024-08-01 20:33
Severity ?
EPSS score ?
Summary
Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.6.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "8.1.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4183",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-29T17:36:22.940094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:30.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.10",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.2",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.4",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.11",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.11",
"status": "unaffected",
"version": "9.7.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.6.1"
},
{
"status": "unaffected",
"version": "9.5.3"
},
{
"status": "unaffected",
"version": "9.4.5"
},
{
"status": "unaffected",
"version": "8.1.12"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.\u003c/p\u003e"
}
],
"value": "Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T08:25:47.088Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00279",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55319"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-4183",
"datePublished": "2024-04-26T08:25:47.088Z",
"dateReserved": "2024-04-25T14:18:54.310Z",
"dateUpdated": "2024-08-01T20:33:52.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-42411
Vulnerability from cvelistv5
Published
2024-08-22 06:32
Modified
2024-08-22 13:22
Severity ?
EPSS score ?
Summary
User creation date manipulation in POST /api/v4/users
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:9.10.0:-:*:*:*:*:*:*",
"cpe:2.3:a:mattermost:mattermost:9.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mattermost:mattermost:9.8.0:-:*:*:*:*:*:*",
"cpe:2.3:a:mattermost:mattermost:9.9.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42411",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T13:18:21.337328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T13:22:35.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.9.1",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.7",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.10.0"
},
{
"lessThanOrEqual": "9.8.2",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.11.0"
},
{
"status": "unaffected",
"version": "9.9.2"
},
{
"status": "unaffected",
"version": "9.5.8"
},
{
"status": "unaffected",
"version": "9.10.1"
},
{
"status": "unaffected",
"version": "9.8.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.1, 9.5.x \u0026lt;= 9.5.7, 9.10.x \u0026lt;= 9.10.0, 9.8.x \u0026lt;= 9.8.2 fail to restrict the input in POST /api/v4/users which allows\u0026nbsp;a user to manipulate the creation date in POST /api/v4/users tricking the admin into believing their account is much older.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0, 9.8.x \u003c= 9.8.2 fail to restrict the input in POST /api/v4/users which allows\u00a0a user to manipulate the creation date in POST /api/v4/users tricking the admin into believing their account is much older."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T06:32:57.137Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.11.0, 9.9.2, 9.5.8, 9.10.1, 9.8.3 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00365",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58846"
],
"discovery": "EXTERNAL"
},
"title": "User creation date manipulation in POST /api/v4/users",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-42411",
"datePublished": "2024-08-22T06:32:57.137Z",
"dateReserved": "2024-08-20T16:09:35.884Z",
"dateUpdated": "2024-08-22T13:22:35.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5159
Vulnerability from cvelistv5
Published
2023-09-29 09:21
Modified
2024-09-20 16:02
Severity ?
EPSS score ?
Summary
A User Manager role with user edit permissions could manage/update bots
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:07.464Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5159",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:10:44.919131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T16:02:33.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.7.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.10"
},
{
"status": "unaffected",
"version": "8.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Pyae Phyo (pyae_phyo)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly verify the permissions when managing/updating a bot allowing a\u0026nbsp;User Manager role with user edit permissions to manage/update bots.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly verify the permissions when managing/updating a bot allowing a\u00a0User Manager role with user edit permissions to manage/update bots.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-29T09:21:37.828Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.10, 8.1.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.10, 8.1.1 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00210",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53097"
],
"discovery": "EXTERNAL"
},
"title": "A User Manager role with user edit permissions could manage/update bots",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5159",
"datePublished": "2023-09-29T09:21:37.828Z",
"dateReserved": "2023-09-25T11:36:21.829Z",
"dateUpdated": "2024-09-20T16:02:33.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3614
Vulnerability from cvelistv5
Published
2023-07-17 15:32
Modified
2024-10-21 19:39
Severity ?
EPSS score ?
Summary
Denial of Service via specially crafted gif image
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.084Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3614",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:17:44.164995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:39:59.068Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate a gif image file, allowing an attacker to\u0026nbsp;consume a significant amount of server resources, making the server unresponsive for an extended period of time by\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;linking to specially crafted image file.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate a gif image file, allowing an attacker to\u00a0consume a significant amount of server resources, making the server unresponsive for an extended period of time by\u00a0linking to specially crafted image file.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:32:16.646Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions\u0026nbsp;v7.8.7,\u0026nbsp;v7.9.5, v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions\u00a0v7.8.7,\u00a0v7.9.5, v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00190",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52719"
],
"discovery": "INTERNAL"
},
"title": "Denial of Service via specially crafted gif image",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3614",
"datePublished": "2023-07-17T15:32:16.646Z",
"dateReserved": "2023-07-11T09:04:11.707Z",
"dateUpdated": "2024-10-21T19:39:59.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-10241
Vulnerability from cvelistv5
Published
2024-10-29 08:08
Modified
2024-10-29 12:52
Severity ?
EPSS score ?
Summary
Private channel names leaked with Ctrl+K when ElasticSearch is enabled
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T12:52:44.390611Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T12:52:53.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.9",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.8.0"
},
{
"status": "unaffected",
"version": "9.5.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.5.x \u0026lt;= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get\u0026nbsp;private channel names by using cmd+K/ctrl+K.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.5.x \u003c= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get\u00a0private channel names by using cmd+K/ctrl+K."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T08:08:20.873Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.8.0, 9.5.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.8.0, 9.5.10 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00129",
"defect": [
"https://mattermost.atlassian.net/browse/MM-49256"
],
"discovery": "EXTERNAL"
},
"title": "Private channel names leaked with Ctrl+K when ElasticSearch is enabled",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-10241",
"datePublished": "2024-10-29T08:08:20.873Z",
"dateReserved": "2024-10-22T09:22:11.172Z",
"dateUpdated": "2024-10-29T12:52:53.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2797
Vulnerability from cvelistv5
Published
2023-06-16 09:03
Modified
2024-08-02 06:33
Severity ?
EPSS score ?
Summary
Path traversal in GitHub plugin's code preview feature
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost Github Plugin |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.773Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost Github Plugin",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.1.10"
},
{
"status": "unaffected",
"version": "7.8.5"
},
{
"status": "affected",
"version": "7.10.0"
},
{
"status": "unaffected",
"version": "7.10.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eMattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T09:03:17.656Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.1.10, v7.8.5, v7.10.1 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.1.10, v7.8.5, v7.10.1 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00183",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51244"
],
"discovery": "INTERNAL"
},
"title": "Path traversal in GitHub plugin\u0027s code preview feature",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2797",
"datePublished": "2023-06-16T09:03:17.656Z",
"dateReserved": "2023-05-18T13:39:21.885Z",
"dateUpdated": "2024-08-02T06:33:05.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-40703
Vulnerability from cvelistv5
Published
2023-11-27 09:08
Modified
2024-08-02 18:38
Severity ?
EPSS score ?
Summary
Denial of Service via specially crafted block fields in Mattermost Boards
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:51.081Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.1.1"
},
{
"status": "unaffected",
"version": "9.0.2"
},
{
"status": "unaffected",
"version": "7.8.13"
},
{
"status": "unaffected",
"version": "8.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing\u0026nbsp;a attacker to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003econsume excessive resources, possibly leading to Denial of Service, by\u003c/span\u003e\u0026nbsp;patching the field of a block using a specially crafted string.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing\u00a0a attacker to\u00a0consume excessive resources, possibly leading to Denial of Service, by\u00a0patching the field of a block using a specially crafted string.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T09:08:31.251Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.1.1, 9.0.2, 7.8.13, 8.1.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.1.1, 9.0.2, 7.8.13, 8.1.4 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00219",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53233"
],
"discovery": "EXTERNAL"
},
"title": "Denial of Service via specially crafted block fields in Mattermost Boards",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-40703",
"datePublished": "2023-11-27T09:08:31.251Z",
"dateReserved": "2023-11-22T11:18:57.610Z",
"dateUpdated": "2024-08-02T18:38:51.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5330
Vulnerability from cvelistv5
Published
2023-10-09 10:38
Modified
2024-09-05 19:47
Severity ?
EPSS score ?
Summary
Denial of Service via Opengraph Data Cache
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:08.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T19:47:44.126838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T19:47:56.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.11"
},
{
"status": "unaffected",
"version": "8.0.3"
},
{
"status": "unaffected",
"version": "8.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to\u0026nbsp;enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable.\u003c/p\u003e"
}
],
"value": "Mattermost fails to\u00a0enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T10:38:39.415Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e7.8.11, \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e8.0.3,\u0026nbsp;\u003c/span\u003e8.1.2\u0026nbsp;or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions\u00a07.8.11, 8.0.3,\u00a08.1.2\u00a0or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00232",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53763"
],
"discovery": "EXTERNAL"
},
"title": " Denial of Service via Opengraph Data Cache",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5330",
"datePublished": "2023-10-09T10:38:39.415Z",
"dateReserved": "2023-10-02T10:48:43.542Z",
"dateUpdated": "2024-09-05T19:47:56.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-27265
Vulnerability from cvelistv5
Published
2023-02-27 14:46
Modified
2024-08-02 12:09
Severity ?
EPSS score ?
Summary
Disclosure of team owner email address when regenerating Invite ID
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:42.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "7.7.0",
"status": "affected",
"version": "5.12.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "foobar7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eMattermost fails to honor the ShowEmailAddress setting when constructing a response to the \"Regenerate Invite Id\" API endpoint, allowing an attacker with team admin privileges to learn the team owner\u0027s email address in the response.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the \"Regenerate Invite Id\" API endpoint, allowing an attacker with team admin privileges to learn the team owner\u0027s email address in the response.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-27T14:46:23.494Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version 7.7.0 or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version 7.7.0 or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00133",
"defect": [
"https://mattermost.atlassian.net/browse/MM-47982"
],
"discovery": "EXTERNAL"
},
"title": "Disclosure of team owner email address when regenerating Invite ID",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-27265",
"datePublished": "2023-02-27T14:46:23.494Z",
"dateReserved": "2023-02-27T14:31:01.786Z",
"dateUpdated": "2024-08-02T12:09:42.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-24776
Vulnerability from cvelistv5
Published
2024-02-09 14:50
Modified
2024-08-01 23:28
Severity ?
EPSS score ?
Summary
Incorrect Authorization leads to Channel Member Count Leak
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-12T16:56:53.647994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:51.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.8"
},
{
"status": "affected",
"version": "9.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check the required permissions in the\u0026nbsp;POST /api/v4/channels/stats/member_count API resulting in\u0026nbsp;channel member counts being leaked to a user without permissions.\u003c/p\u003e"
}
],
"value": "Mattermost fails to check the required permissions in the\u00a0POST /api/v4/channels/stats/member_count API resulting in\u00a0channel member counts being leaked to a user without permissions.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T14:50:45.443Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 8.1.8, 9.4.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.8, 9.4.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00268",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55041"
],
"discovery": "EXTERNAL"
},
"title": " Incorrect Authorization leads to Channel Member Count Leak",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-24776",
"datePublished": "2024-02-09T14:50:45.443Z",
"dateReserved": "2024-01-30T10:23:06.717Z",
"dateUpdated": "2024-08-01T23:28:12.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-37859
Vulnerability from cvelistv5
Published
2021-08-05 19:40
Modified
2024-08-04 01:30
Severity ?
EPSS score ?
Summary
Reflected XSS in OAuth Flow
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:30:09.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost ",
"vendor": "Mattermost ",
"versions": [
{
"status": "unaffected",
"version": "5.34.5"
},
{
"status": "unaffected",
"version": "5.35.4"
},
{
"lessThanOrEqual": "5.36.0",
"status": "affected",
"version": "5.32.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-05T19:40:10",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"source": {
"advisory": "MMSA-2021-0055",
"defect": [
"https://mattermost.atlassian.net/browse/MM-36249"
],
"discovery": "EXTERNAL"
},
"title": "Reflected XSS in OAuth Flow",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2021-37859",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS in OAuth Flow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "5.32.0",
"version_value": "5.36.0"
},
{
"version_affected": "!",
"version_name": "5.34.5",
"version_value": "5.34.5"
},
{
"version_affected": "!",
"version_name": "5.35.4",
"version_value": "5.35.4"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"source": {
"advisory": "MMSA-2021-0055",
"defect": [
"https://mattermost.atlassian.net/browse/MM-36249"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2021-37859",
"datePublished": "2021-08-05T19:40:10",
"dateReserved": "2021-08-02T00:00:00",
"dateUpdated": "2024-08-04T01:30:09.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5194
Vulnerability from cvelistv5
Published
2023-09-29 09:28
Modified
2024-09-05 19:59
Severity ?
EPSS score ?
Summary
A system/user manager can demote / deactivate another manager
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:08.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5194",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T19:59:26.948054Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T19:59:54.546Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.1.1"
},
{
"status": "unaffected",
"version": "7.8.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Pyae Phyo (pyae_phyo)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate permissions when demoting and deactivating a user allowing for a\u0026nbsp;system/user manager to demote / deactivate another manager\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a\u00a0system/user manager to demote / deactivate another manager\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-29T09:28:50.676Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e8.1.1, 7.8.10\u003c/span\u003e or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 8.1.1, 7.8.10 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00223",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53368"
],
"discovery": "EXTERNAL"
},
"title": "A system/user manager can demote / deactivate another manager",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5194",
"datePublished": "2023-09-29T09:28:50.676Z",
"dateReserved": "2023-09-26T09:03:42.301Z",
"dateUpdated": "2024-09-05T19:59:54.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36287
Vulnerability from cvelistv5
Published
2024-06-14 08:39
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
Bypass of TCC restrictions on macOS
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36287",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-14T15:36:28.149319Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-14T15:36:56.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:03.683Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "5.7.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.8.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fatih ERDOGAN - @ FeCassie"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Desktop App versions \u0026lt;=5.7.0 fail to disable certain Electron debug flags which allows for bypassing\u0026nbsp;TCC restrictions on macOS.\u003c/p\u003e"
}
],
"value": "Mattermost Desktop App versions \u003c=5.7.0 fail to disable certain Electron debug flags which allows for bypassing\u00a0TCC restrictions on macOS."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-14T08:39:08.132Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Desktop App to versions 5.8.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Desktop App to versions 5.8.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00326",
"defect": [
"https://mattermost.atlassian.net/browse/MM-57911"
],
"discovery": "EXTERNAL"
},
"title": "Bypass of TCC restrictions on macOS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-36287",
"datePublished": "2024-06-14T08:39:08.132Z",
"dateReserved": "2024-06-14T08:22:33.357Z",
"dateUpdated": "2024-08-02T03:37:03.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-41926
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-01 14:32
Severity ?
EPSS score ?
Summary
Malicious remote can claim that a user was synced from another remote
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41926",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T14:31:59.417867Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:32:10.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0 and 9.5.x \u0026lt;= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs,\u0026nbsp;which allows a malicious remote to\u0026nbsp;set arbitrary RemoteId values for synced users and therefore\u0026nbsp;claim that a user was synced from another remote.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0 and 9.5.x \u003c= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs,\u00a0which allows a malicious remote to\u00a0set arbitrary RemoteId values for synced users and therefore\u00a0claim that a user was synced from another remote."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:10.650Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00343",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58252"
],
"discovery": "INTERNAL"
},
"title": "Malicious remote can claim that a user was synced from another remote",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-41926",
"datePublished": "2024-08-01T14:05:10.650Z",
"dateReserved": "2024-07-23T18:35:14.800Z",
"dateUpdated": "2024-08-01T14:32:10.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-47401
Vulnerability from cvelistv5
Published
2024-10-29 08:11
Modified
2024-10-29 12:52
Severity ?
EPSS score ?
Summary
DoS via Amplified GraphQL Response in Playbooks
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47401",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T12:51:53.557835Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T12:52:04.161Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.10.2",
"status": "affected",
"version": "9.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.11.1",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.9",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "9.10.3"
},
{
"status": "unaffected",
"version": "9.11.2"
},
{
"status": "unaffected",
"version": "9.5.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.10.x \u0026lt;= 9.10.2, 9.11.x \u0026lt;= 9.11.1 and 9.5.x \u0026lt;= 9.5.9 fail to\u0026nbsp;prevent detailed error messages from being displayed\u0026nbsp;in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by sending a specially crafted request to Playbooks.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.10.x \u003c= 9.10.2, 9.11.x \u003c= 9.11.1 and 9.5.x \u003c= 9.5.9 fail to\u00a0prevent detailed error messages from being displayed\u00a0in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by sending a specially crafted request to Playbooks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T08:11:17.553Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.10.3, 9.11.2, 9.5.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.0.0, 9.10.3, 9.11.2, 9.5.10 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00360",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58790"
],
"discovery": "EXTERNAL"
},
"title": "DoS via Amplified GraphQL Response in Playbooks",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-47401",
"datePublished": "2024-10-29T08:11:17.553Z",
"dateReserved": "2024-10-21T16:12:47.128Z",
"dateUpdated": "2024-10-29T12:52:04.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-22091
Vulnerability from cvelistv5
Published
2024-04-26 08:24
Modified
2024-08-01 22:35
Severity ?
EPSS score ?
Summary
Excessive resource consumption due to lack to request path size limits
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost_server",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "8.1x"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.6x"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "9.5x"
}
]
},
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost",
"vendor": "mattermost",
"versions": [
{
"status": "affected",
"version": "8.1x"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-26T14:47:29.118846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:52:42.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.10",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "9.6.0"
},
{
"lessThanOrEqual": "9.5.2",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.11",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.7.0"
},
{
"status": "unaffected",
"version": "8.1.11"
},
{
"status": "unaffected",
"version": "9.6.1"
},
{
"status": "unaffected",
"version": "9.5.3"
},
{
"status": "unaffected",
"version": "8.1.12"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Veshraj Ghimire (ghimire_veshraj)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 8.1.x \u0026lt;= 8.1.10, 9.6.x \u0026lt;= 9.6.0, 9.5.x \u0026lt;= 9.5.2 and 8.1.x \u0026lt;= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;excessive resource\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003econsumption\u003c/span\u003e, possibly leading to a DoS\u003c/span\u003e\u0026nbsp;via sending large request paths\u003c/p\u003e"
}
],
"value": "Mattermost versions 8.1.x \u003c= 8.1.10, 9.6.x \u003c= 9.6.0, 9.5.x \u003c= 9.5.2 and 8.1.x \u003c= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause\u00a0excessive resource\u00a0consumption, possibly leading to a DoS\u00a0via sending large request paths\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T08:24:34.049Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.7.0, 8.1.11, 9.6.1, 9.5.3, 8.1.12 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.7.0, 8.1.11, 9.6.1, 9.5.3, 8.1.12 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00308",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56708"
],
"discovery": "EXTERNAL"
},
"title": "Excessive resource consumption due to lack to request path size limits",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-22091",
"datePublished": "2024-04-26T08:24:34.049Z",
"dateReserved": "2024-04-10T09:53:47.697Z",
"dateUpdated": "2024-08-01T22:35:34.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5160
Vulnerability from cvelistv5
Published
2023-10-02 10:46
Modified
2024-09-05 19:51
Severity ?
EPSS score ?
Summary
Full name disclosure via team top membership with Show Full Name option disabled
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:07.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T19:50:50.880779Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T19:51:13.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.10"
},
{
"status": "unaffected",
"version": "8.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hack Cats (aungpyaekoko)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing\u0026nbsp;a member to get the full name of another user even if the Show Full Name option was disabled\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing\u00a0a member to get the full name of another user even if the Show Full Name option was disabled\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-02T10:46:33.153Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.10, 8.1.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.10, 8.1.1 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00217",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53191"
],
"discovery": "EXTERNAL"
},
"title": "Full name disclosure via team top membership with Show Full Name option disabled",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5160",
"datePublished": "2023-10-02T10:46:33.153Z",
"dateReserved": "2023-09-25T11:43:46.566Z",
"dateUpdated": "2024-09-05T19:51:13.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-50052
Vulnerability from cvelistv5
Published
2024-10-29 08:10
Modified
2024-10-29 12:52
Severity ?
EPSS score ?
Summary
Arbitrary post deletion via Playbooks /ignore-thread endpoint
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50052",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T12:52:23.171944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T12:52:31.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.10.2",
"status": "affected",
"version": "9.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.11.1",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.9",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.0.0"
},
{
"status": "unaffected",
"version": "9.10.3"
},
{
"status": "unaffected",
"version": "9.11.2"
},
{
"status": "unaffected",
"version": "9.5.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesse Hallam"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.10.x \u0026lt;= 9.10.2, 9.11.x \u0026lt;= 9.11.1, 9.5.x \u0026lt;= 9.5.9 fail to\u0026nbsp;check that the origin of the message in an integration action matches with the original post metadata\u0026nbsp;which allows an authenticated user to delete an arbitrary post.\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.10.x \u003c= 9.10.2, 9.11.x \u003c= 9.11.1, 9.5.x \u003c= 9.5.9 fail to\u00a0check that the origin of the message in an integration action matches with the original post metadata\u00a0which allows an authenticated user to delete an arbitrary post."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T08:10:17.129Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.0.0, 9.10.3, 9.11.2, 9.5.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.0.0, 9.10.3, 9.11.2, 9.5.10 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00350",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58431"
],
"discovery": "INTERNAL"
},
"title": "Arbitrary post deletion via Playbooks /ignore-thread endpoint",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-50052",
"datePublished": "2024-10-29T08:10:17.129Z",
"dateReserved": "2024-10-21T16:12:47.116Z",
"dateUpdated": "2024-10-29T12:52:31.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-41144
Vulnerability from cvelistv5
Published
2024-08-01 14:05
Modified
2024-08-05 16:58
Severity ?
EPSS score ?
Summary
Malicious remote can create/update/delete arbitrary posts in arbitrary channels
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T16:57:35.263257Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T16:58:34.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.9.0"
},
{
"lessThanOrEqual": "9.5.6",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.7.5",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.8.1",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.10.0"
},
{
"status": "unaffected",
"version": "9.9.1"
},
{
"status": "unaffected",
"version": "9.5.7"
},
{
"status": "unaffected",
"version": "9.7.6"
},
{
"status": "unaffected",
"version": "9.8.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.9.x \u0026lt;= 9.9.0, 9.5.x \u0026lt;= 9.5.6, 9.7.x \u0026lt;= 9.7.5, 9.8.x \u0026lt;= 9.8.1 fail to properly validate\u0026nbsp;synced posts, when shared channels are enabled,\u0026nbsp;\u0026nbsp;which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.9.x \u003c= 9.9.0, 9.5.x \u003c= 9.5.6, 9.7.x \u003c= 9.7.5, 9.8.x \u003c= 9.8.1 fail to properly validate\u00a0synced posts, when shared channels are enabled,\u00a0\u00a0which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:05:08.491Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00355",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58576"
],
"discovery": "INTERNAL"
},
"title": "Malicious remote can create/update/delete arbitrary posts in arbitrary channels",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-41144",
"datePublished": "2024-08-01T14:05:08.491Z",
"dateReserved": "2024-07-23T19:00:08.555Z",
"dateUpdated": "2024-08-05T16:58:34.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-37860
Vulnerability from cvelistv5
Published
2021-09-22 16:40
Modified
2024-08-04 01:30
Severity ?
EPSS score ?
Summary
Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP.
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:30:09.076Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost ",
"vendor": "Mattermost ",
"versions": [
{
"lessThanOrEqual": "5.38",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-22T16:40:43",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"source": {
"advisory": "MMSA-2021-0069",
"defect": [
"https://mattermost.atlassian.net/browse/MM-38293"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2021-37860",
"STATE": "PUBLIC",
"TITLE": ""
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "5.38"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"source": {
"advisory": "MMSA-2021-0069",
"defect": [
"https://mattermost.atlassian.net/browse/MM-38293"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2021-37860",
"datePublished": "2021-09-22T16:40:43",
"dateReserved": "2021-08-02T00:00:00",
"dateUpdated": "2024-08-04T01:30:09.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-37865
Vulnerability from cvelistv5
Published
2022-01-18 16:51
Modified
2024-08-04 01:30
Severity ?
EPSS score ?
Summary
Server-side Denial of Service while processing a specifically crafted GIF file
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC | |
| https://hackerone.com/reports/1428260 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:30:08.496Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1428260"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost ",
"vendor": "Mattermost ",
"versions": [
{
"lessThanOrEqual": "6.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "6.1.1",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "6.0.4",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "5.39.3",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "5.37.6",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-18T16:51:48",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1428260"
}
],
"source": {
"advisory": "MMSA-2021-0081",
"defect": [
"https://mattermost.atlassian.net/browse/MM-40627"
],
"discovery": "EXTERNAL"
},
"title": "Server-side Denial of Service while processing a specifically crafted GIF file",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2021-37865",
"STATE": "PUBLIC",
"TITLE": "Server-side Denial of Service while processing a specifically crafted GIF file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.2"
},
{
"version_affected": "!\u003e=",
"version_value": "6.1.1"
},
{
"version_affected": "!\u003e=",
"version_value": "6.0.4"
},
{
"version_affected": "!\u003e=",
"version_value": "5.39.3"
},
{
"version_affected": "!\u003e=",
"version_value": "5.37.6"
}
]
}
}
]
},
"vendor_name": "Mattermost "
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
},
{
"name": "https://hackerone.com/reports/1428260",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1428260"
}
]
},
"source": {
"advisory": "MMSA-2021-0081",
"defect": [
"https://mattermost.atlassian.net/browse/MM-40627"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2021-37865",
"datePublished": "2022-01-18T16:51:48",
"dateReserved": "2021-08-02T00:00:00",
"dateUpdated": "2024-08-04T01:30:08.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-7114
Vulnerability from cvelistv5
Published
2023-12-29 12:46
Modified
2024-09-09 17:28
Severity ?
EPSS score ?
Summary
Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.220Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T17:28:11.991083Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T17:28:54.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.10.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.10.0",
"status": "unaffected",
"version": "2.10.1 ",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "DoyenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server.\u003c/p\u003e"
}
],
"value": "Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T12:46:22.501Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to version 2.10.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to version 2.10.1 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00253",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53901"
],
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-7114",
"datePublished": "2023-12-29T12:46:22.501Z",
"dateReserved": "2023-12-26T10:45:27.420Z",
"dateUpdated": "2024-09-09T17:28:54.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2831
Vulnerability from cvelistv5
Published
2023-06-16 09:06
Modified
2024-08-02 06:33
Severity ?
EPSS score ?
Summary
Denial of Service while unescaping a Markdown string
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.10.0"
},
{
"status": "unaffected",
"version": "7.1.10 "
},
{
"status": "unaffected",
"version": "7.8.5"
},
{
"status": "unaffected",
"version": "7.9.4"
},
{
"status": "unaffected",
"version": "7.10.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "claverrat"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters.\u003cbr\u003e"
}
],
"value": "Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T09:06:15.292Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version 7.1.10,\u0026nbsp;7.8.5, 7.9.4,\u0026nbsp;7.10.1\u0026nbsp;or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version 7.1.10,\u00a07.8.5, 7.9.4,\u00a07.10.1\u00a0or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00177",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52163"
],
"discovery": "EXTERNAL"
},
"title": "Denial of Service while unescaping a Markdown string",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2831",
"datePublished": "2023-06-16T09:06:15.292Z",
"dateReserved": "2023-05-22T09:30:20.884Z",
"dateUpdated": "2024-08-02T06:33:05.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49607
Vulnerability from cvelistv5
Published
2023-12-12 08:21
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
Playbook plugin crash via missing interface type assertion
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.2.2"
},
{
"status": "unaffected",
"version": "8.1.6"
},
{
"status": "unaffected",
"version": "9.0.4"
},
{
"status": "unaffected",
"version": "9.1.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to validate the type of the \"reminder\" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.\u003c/p\u003e"
}
],
"value": "Mattermost fails to validate the type of the \"reminder\" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T08:21:36.568Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Plugins to versions 9.2.2, 8.1.6, 9.0.4, 9.1.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Plugins to versions 9.2.2, 8.1.6, 9.0.4, 9.1.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00238",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54150"
],
"discovery": "EXTERNAL"
},
"title": "Playbook plugin crash via missing interface type assertion",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-49607",
"datePublished": "2023-12-12T08:21:36.568Z",
"dateReserved": "2023-12-05T08:22:34.310Z",
"dateUpdated": "2024-08-02T22:01:26.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2447
Vulnerability from cvelistv5
Published
2024-04-05 08:52
Modified
2024-08-01 19:11
Severity ?
EPSS score ?
Summary
Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T15:51:10.928653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T15:51:20.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "9.5.1",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.3",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.2",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.10",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.6.0"
},
{
"status": "unaffected",
"version": "9.5.2"
},
{
"status": "unaffected",
"version": "9.4.4"
},
{
"status": "unaffected",
"version": "9.3.3"
},
{
"status": "unaffected",
"version": "8.1.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.\u003c/p\u003e"
}
],
"value": "Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T08:52:59.664Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00306",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56634"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-2447",
"datePublished": "2024-04-05T08:52:59.664Z",
"dateReserved": "2024-03-14T12:23:53.044Z",
"dateUpdated": "2024-08-01T19:11:53.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39613
Vulnerability from cvelistv5
Published
2024-09-16 06:40
Modified
2024-09-16 13:05
Severity ?
EPSS score ?
Summary
RCE in desktop app in Windows by local attacker
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39613",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T13:04:12.913941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T13:05:12.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "5.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.9.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SParK (parksangwoo)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Desktop App versions \u0026lt;=5.8.0 fail to\u0026nbsp;specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user\u0027s machine to cause remote code execution on that machine.\u003c/p\u003e"
}
],
"value": "Mattermost Desktop App versions \u003c=5.8.0 fail to\u00a0specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user\u0027s machine to cause remote code execution on that machine."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427: Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T06:40:58.501Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Desktop App to version 5.9.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Desktop App to version 5.9.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00307",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55340"
],
"discovery": "EXTERNAL"
},
"title": "RCE in desktop app in Windows by local attacker",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39613",
"datePublished": "2024-09-16T06:40:58.501Z",
"dateReserved": "2024-09-10T08:20:38.471Z",
"dateUpdated": "2024-09-16T13:05:12.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2787
Vulnerability from cvelistv5
Published
2023-06-16 08:55
Modified
2024-08-02 06:33
Severity ?
EPSS score ?
Summary
Collapsed Reply Threads APIs leak message contents from private channels
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.738Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.10.0"
},
{
"status": "unaffected",
"version": "7.9.3"
},
{
"status": "unaffected",
"version": "7.8.4"
},
{
"status": "unaffected",
"version": "7.1.9"
},
{
"status": "unaffected",
"version": "7.10.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eMattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API.\u003c/div\u003e"
}
],
"value": "Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T08:55:39.391Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.1.10, v7.8.5, v7.9.4, v7.10.1, or higher.\u003cbr\u003e"
}
],
"value": "Update Mattermost to version v7.1.10, v7.8.5, v7.9.4, v7.10.1, or higher.\n"
}
],
"source": {
"advisory": "MMSA-2023-00164",
"defect": [
"https://mattermost.atlassian.net/browse/MM-50568"
],
"discovery": "INTERNAL"
},
"title": "Collapsed Reply Threads APIs leak message contents from private channels",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2787",
"datePublished": "2023-06-16T08:55:39.391Z",
"dateReserved": "2023-05-18T11:46:01.638Z",
"dateUpdated": "2024-08-02T06:33:05.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1982
Vulnerability from cvelistv5
Published
2022-06-02 17:03
Modified
2024-08-03 00:24
Severity ?
EPSS score ?
Summary
A crafted SVG attachment can crash a Mattermost server
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.087Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "6.5.x 6.5.0"
},
{
"status": "affected",
"version": "6.6.x 6.6.0"
},
{
"lessThanOrEqual": "5.39",
"status": "affected",
"version": "5.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.3.7",
"status": "affected",
"version": "6.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.4.2",
"status": "affected",
"version": "6.4.x",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-02T17:03:07",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"source": {
"advisory": "MMSA-2022-00104",
"defect": [
"https://mattermost.atlassian.net/browse/MM-43392"
],
"discovery": "INTERNAL"
},
"title": "A crafted SVG attachment can crash a Mattermost server",
"workarounds": [
{
"lang": "en",
"value": "Configure the maximum file size for message attachments to 20 megabytes or less: https://docs.mattermost.com/configure/configuration-settings.html#maximum-file-size"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-1982",
"STATE": "PUBLIC",
"TITLE": "A crafted SVG attachment can crash a Mattermost server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "5.x",
"version_value": "5.39"
},
{
"version_affected": "\u003c=",
"version_name": "6.x",
"version_value": "6.3.7"
},
{
"version_affected": "\u003c=",
"version_name": "6.4.x",
"version_value": "6.4.2"
},
{
"version_affected": "=",
"version_name": "6.5.x",
"version_value": "6.5.0"
},
{
"version_affected": "=",
"version_name": "6.6.x",
"version_value": "6.6.0"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"source": {
"advisory": "MMSA-2022-00104",
"defect": [
"https://mattermost.atlassian.net/browse/MM-43392"
],
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Configure the maximum file size for message attachments to 20 megabytes or less: https://docs.mattermost.com/configure/configuration-settings.html#maximum-file-size"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-1982",
"datePublished": "2022-06-02T17:03:07",
"dateReserved": "2022-06-02T00:00:00",
"dateUpdated": "2024-08-03T00:24:44.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39361
Vulnerability from cvelistv5
Published
2024-07-03 08:35
Modified
2024-08-02 04:26
Severity ?
EPSS score ?
Summary
Creating posts with user-defined IDs permitted in CreatePost API
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39361",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T15:12:06.305904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T15:12:16.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:14.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.8.0"
},
{
"lessThanOrEqual": "9.7.4",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.2",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.5",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.9.0"
},
{
"status": "unaffected",
"version": "9.8.1"
},
{
"status": "unaffected",
"version": "9.7.5"
},
{
"status": "unaffected",
"version": "9.6.3"
},
{
"status": "unaffected",
"version": "9.5.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 9.8.0, 9.7.x \u0026lt;= 9.7.4, 9.6.x \u0026lt;= 9.6.2 and 9.5.x \u0026lt;= 9.5.5 fail to\u0026nbsp;prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts\u003c/p\u003e"
}
],
"value": "Mattermost versions 9.8.0, 9.7.x \u003c= 9.7.4, 9.6.x \u003c= 9.6.2 and 9.5.x \u003c= 9.5.5 fail to\u00a0prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T08:35:43.118Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 9.9.0, 9.8.1, 9.7.5, 9.6.3, 9.5.6 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 9.9.0, 9.8.1, 9.7.5, 9.6.3, 9.5.6 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00347",
"defect": [
"https://mattermost.atlassian.net/browse/MM-58276"
],
"discovery": "INTERNAL"
},
"title": "Creating posts with user-defined IDs permitted in CreatePost API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39361",
"datePublished": "2024-07-03T08:35:43.118Z",
"dateReserved": "2024-07-01T10:22:11.616Z",
"dateUpdated": "2024-08-02T04:26:14.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2785
Vulnerability from cvelistv5
Published
2023-06-16 09:07
Modified
2024-08-02 06:33
Severity ?
EPSS score ?
Summary
Specially crafted search query can cause large log entries in postgres
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.558Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.10.0"
},
{
"status": "unaffected",
"version": "7.10.1"
},
{
"status": "unaffected",
"version": "7.9.4"
},
{
"status": "unaffected",
"version": "7.8.5"
},
{
"status": "unaffected",
"version": "7.1.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Filip Omazi\u0107"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of\u0026nbsp;large log files\u0026nbsp;which can result in Denial of Service\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of\u00a0large log files\u00a0which can result in Denial of Service\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-28T09:38:30.371Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.1.10, v7.8.5, v7.9.4, v.7.10.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.1.10, v7.8.5, v7.9.4, v.7.10.1 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00171",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52216"
],
"discovery": "EXTERNAL"
},
"title": "Specially crafted search query can cause large log entries in postgres",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2785",
"datePublished": "2023-06-16T09:07:28.235Z",
"dateReserved": "2023-05-18T10:35:58.147Z",
"dateUpdated": "2024-08-02T06:33:05.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-3872
Vulnerability from cvelistv5
Published
2024-04-16 09:05
Modified
2024-08-01 20:26
Severity ?
EPSS score ?
Summary
Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mattermost_mobile",
"vendor": "mattermost",
"versions": [
{
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T14:26:40.200608Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:32:17.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:26:57.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.14.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link.\u003c/p\u003e"
}
],
"value": "Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-16T09:05:04.719Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.14.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.14.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2024-00303",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55751"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-3872",
"datePublished": "2024-04-16T09:05:04.719Z",
"dateReserved": "2024-04-16T08:51:45.288Z",
"dateUpdated": "2024-08-01T20:26:57.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3593
Vulnerability from cvelistv5
Published
2023-07-17 15:38
Modified
2024-10-21 19:40
Severity ?
EPSS score ?
Summary
Server crash via a specially crafted markdown input
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.038Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:17:40.637350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:40:56.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.7"
},
{
"status": "unaffected",
"version": "7.9.5"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate markdown, allowing an attacker to c\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003erash the server\u003c/span\u003e via a specially crafted markdown input.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:38:57.759Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to versions v7.8.7,\u0026nbsp;v7.9.5, v7.10.3 or higher"
}
],
"value": "Update Mattermost to versions v7.8.7,\u00a0v7.9.5, v7.10.3 or higher"
}
],
"source": {
"advisory": "MMSA-2023-00185",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52526"
],
"discovery": "INTERNAL"
},
"title": "Server crash via a specially crafted markdown input",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3593",
"datePublished": "2023-07-17T15:38:57.759Z",
"dateReserved": "2023-07-10T15:18:02.205Z",
"dateUpdated": "2024-10-21T19:40:56.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5193
Vulnerability from cvelistv5
Published
2023-09-29 09:23
Modified
2024-09-20 16:01
Severity ?
EPSS score ?
Summary
System Role with manage posts permission can read posts of Direct Messages
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:07.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5193",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:10:34.173042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T16:01:39.785Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "8.1.0"
},
{
"status": "unaffected",
"version": "8.0.2"
},
{
"status": "unaffected",
"version": "8.1.1"
},
{
"status": "unaffected",
"version": "7.8.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Pyae Phyo (pyae_phyo)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly check permissions when retrieving a post allowing for\u0026nbsp;a System Role with the permission to manage channels to read the posts of a DM conversation.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly check permissions when retrieving a post allowing for\u00a0a System Role with the permission to manage channels to read the posts of a DM conversation.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-29T09:23:47.082Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost Server to versions\u0026nbsp;7.8.10, 8.0.2,\u0026nbsp;8.1.1 or higher"
}
],
"value": "Update Mattermost Server to versions\u00a07.8.10, 8.0.2,\u00a08.1.1 or higher"
}
],
"source": {
"advisory": "MMSA-2023-00222",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53202"
],
"discovery": "EXTERNAL"
},
"title": "System Role with manage posts permission can read posts of Direct Messages",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5193",
"datePublished": "2023-09-29T09:23:47.082Z",
"dateReserved": "2023-09-26T08:44:07.420Z",
"dateUpdated": "2024-09-20T16:01:39.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-48369
Vulnerability from cvelistv5
Published
2023-11-27 09:10
Modified
2024-08-02 21:30
Severity ?
EPSS score ?
Summary
Log Flooding due to specially crafted requests in different endpoints
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:30:33.816Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.0.2"
},
{
"status": "unaffected",
"version": "9.1.1"
},
{
"status": "unaffected",
"version": "7.8.13"
},
{
"status": "unaffected",
"version": "8.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log. \u003c/p\u003e"
}
],
"value": "Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log. \n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T09:10:21.484Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.0.2, 9.1.1, 7.8.13, 8.1.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.0.2, 9.1.1, 7.8.13, 8.1.4 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00233",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53850"
],
"discovery": "EXTERNAL"
},
"title": "Log Flooding due to specially crafted requests in different endpoints",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-48369",
"datePublished": "2023-11-27T09:10:21.484Z",
"dateReserved": "2023-11-22T11:18:57.618Z",
"dateUpdated": "2024-08-02T21:30:33.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45223
Vulnerability from cvelistv5
Published
2023-11-27 09:06
Modified
2024-08-02 20:14
Severity ?
EPSS score ?
Summary
Users full name disclosure through Mattermost Boards with Show Full Name Option disabled
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.768Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.13"
},
{
"status": "unaffected",
"version": "8.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Pyae Phyo (pyae_phyo)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly validate the \"Show Full Name\" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly validate the \"Show Full Name\" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T09:06:34.489Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.13, 8.1.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.13, 8.1.4 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00216",
"defect": [
"https://mattermost.atlassian.net/browse/MM-53189"
],
"discovery": "EXTERNAL"
},
"title": "Users full name disclosure through Mattermost Boards with Show Full Name Option disabled",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-45223",
"datePublished": "2023-11-27T09:06:34.489Z",
"dateReserved": "2023-11-20T12:06:31.664Z",
"dateUpdated": "2024-08-02T20:14:19.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-4019
Vulnerability from cvelistv5
Published
2022-11-23 05:32
Modified
2024-08-03 01:27
Severity ?
EPSS score ?
Summary
Authenticated user could send multiple requests containing a large payload to a Playbooks API and can crash a Mattermost server
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Playbooks Plugin |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.186Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_transferred"
],
"url": "https://hackerone.com/reports/1685979"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Playbooks Plugin",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.3",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.*",
"status": "unaffected",
"version": "7.1.4",
"versionType": "semver"
},
{
"lessThan": "7.2.1",
"status": "affected",
"version": "7.2.0",
"versionType": "semver"
},
{
"lessThan": "7.3.1",
"status": "affected",
"version": "7.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-23T05:32:15.495Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
},
{
"url": "https://hackerone.com/reports/1685979"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version v7.1.4, 7.2.1, 7.3.1, 7.4.0 or higher."
}
],
"value": "Update Mattermost to version v7.1.4, 7.2.1, 7.3.1, 7.4.0 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00118",
"discovery": "EXTERNAL"
},
"title": "Authenticated user could send multiple requests containing a large payload to a Playbooks API and can crash a Mattermost server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-4019",
"datePublished": "2022-11-23T05:32:15.495Z",
"dateReserved": "2022-11-16T11:55:40.576Z",
"dateUpdated": "2024-08-03T01:27:54.186Z",
"requesterUserId": "0a729610-c22f-40e3-9816-673e47743f12",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5969
Vulnerability from cvelistv5
Published
2023-11-06 15:48
Modified
2024-09-17 13:07
Severity ?
EPSS score ?
Summary
Denial of Service via Link Preview in /api/v4/redirect_location
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:14:25.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5969",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:21:56.442988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T13:07:28.847Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.12"
},
{
"status": "unaffected",
"version": "8.0.4"
},
{
"status": "unaffected",
"version": "8.1.3"
},
{
"status": "unaffected",
"version": "9.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vultza (vultza)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to properly sanitize the request to\u0026nbsp;/api/v4/redirect_location allowing an\u0026nbsp;attacker,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003esending a specially crafted request to /api/v4/redirect_location,\u0026nbsp;\u003c/span\u003eto fill up the memory due to caching large items.\u003c/p\u003e"
}
],
"value": "Mattermost fails to properly sanitize the request to\u00a0/api/v4/redirect_location allowing an\u00a0attacker,\u00a0sending a specially crafted request to /api/v4/redirect_location,\u00a0to fill up the memory due to caching large items.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-06T15:48:23.590Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.12, 8.0.4, 8.1.3, 9.0.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.12, 8.0.4, 8.1.3, 9.0.1 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00240",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54218"
],
"discovery": "EXTERNAL"
},
"title": " Denial of Service via Link Preview in /api/v4/redirect_location",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5969",
"datePublished": "2023-11-06T15:48:23.590Z",
"dateReserved": "2023-11-06T15:45:39.602Z",
"dateUpdated": "2024-09-17T13:07:28.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0904
Vulnerability from cvelistv5
Published
2022-03-09 15:21
Modified
2024-08-02 23:47
Severity ?
EPSS score ?
Summary
Stack overflow in document extractor in Mattermost
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThan": "6.3.3",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"lessThan": "6.2.3",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"lessThan": "6.1.3",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"lessThan": "5.37.8",
"status": "affected",
"version": "5.37",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Call stack overflow / goroutine stack overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-09T15:21:17",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update the Mattermost version to v6.3.3, 6.2.3, 6.1.3, or 5.37.8, depending on the minor version being run\n"
}
],
"source": {
"advisory": "MMSA-2022-0086",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41334"
],
"discovery": "INTERNAL"
},
"title": "Stack overflow in document extractor in Mattermost",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-0904",
"STATE": "PUBLIC",
"TITLE": "Stack overflow in document extractor in Mattermost"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.3",
"version_value": "6.3.3"
},
{
"version_affected": "\u003c",
"version_name": "6.2",
"version_value": "6.2.3"
},
{
"version_affected": "\u003c",
"version_name": "6.1",
"version_value": "6.1.3"
},
{
"version_affected": "\u003c",
"version_name": "5.37",
"version_value": "5.37.8"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Call stack overflow / goroutine stack overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update the Mattermost version to v6.3.3, 6.2.3, 6.1.3, or 5.37.8, depending on the minor version being run\n"
}
],
"source": {
"advisory": "MMSA-2022-0086",
"defect": [
"https://mattermost.atlassian.net/browse/MM-41334"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-0904",
"datePublished": "2022-03-09T15:21:17",
"dateReserved": "2022-03-09T00:00:00",
"dateUpdated": "2024-08-02T23:47:42.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3257
Vulnerability from cvelistv5
Published
2022-09-23 14:13
Modified
2024-08-03 01:07
Severity ?
EPSS score ?
Summary
Server-side Denial of Service while processing a specifically crafted GIF file
References
| ▼ | URL | Tags |
|---|---|---|
| https://mattermost.com/security-updates/ | x_refsource_MISC | |
| https://hackerone.com/reports/1620170 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:05.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1620170"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.x",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Philippe Antoine (catenacyber) for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-23T14:13:39",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mattermost.com/security-updates/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1620170"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to version v7.2 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00115",
"defect": [
"https://mattermost.atlassian.net/browse/MM-45503"
],
"discovery": "EXTERNAL"
},
"title": "Server-side Denial of Service while processing a specifically crafted GIF file",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsibledisclosure@mattermost.com",
"ID": "CVE-2022-3257",
"STATE": "PUBLIC",
"TITLE": "Server-side Denial of Service while processing a specifically crafted GIF file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mattermost",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "7.1.x"
}
]
}
}
]
},
"vendor_name": "Mattermost"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Philippe Antoine (catenacyber) for contributing to this improvement under the Mattermost responsible disclosure policy."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mattermost.com/security-updates/",
"refsource": "MISC",
"url": "https://mattermost.com/security-updates/"
},
{
"name": "https://hackerone.com/reports/1620170",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1620170"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Mattermost to version v7.2 or higher."
}
],
"source": {
"advisory": "MMSA-2022-00115",
"defect": [
"https://mattermost.atlassian.net/browse/MM-45503"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2022-3257",
"datePublished": "2022-09-23T14:13:39",
"dateReserved": "2022-09-21T00:00:00",
"dateUpdated": "2024-08-03T01:07:05.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2792
Vulnerability from cvelistv5
Published
2023-06-16 09:01
Modified
2024-08-02 06:33
Severity ?
EPSS score ?
Summary
Ephemeral messages return private channel contents in permalink previews
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.10.0"
},
{
"status": "unaffected",
"version": "7.1.10"
},
{
"status": "unaffected",
"version": "7.9.4"
},
{
"status": "unaffected",
"version": "7.8.5"
},
{
"status": "unaffected",
"version": "7.10.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Juho Nurminen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eMattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T09:01:43.650Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Mattermost to version 7.1.10, 7.8.5, 7.9.4, 7.10.1 or higher\u003cbr\u003e"
}
],
"value": "Update Mattermost to version 7.1.10, 7.8.5, 7.9.4, 7.10.1 or higher\n"
}
],
"source": {
"advisory": "MMSA-2023-00161",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51033"
],
"discovery": "INTERNAL"
},
"title": "Ephemeral messages return private channel contents in permalink previews",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-2792",
"datePublished": "2023-06-16T09:01:43.650Z",
"dateReserved": "2023-05-18T12:10:39.031Z",
"dateUpdated": "2024-08-02T06:33:05.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-4106
Vulnerability from cvelistv5
Published
2023-08-11 06:12
Modified
2024-10-01 20:21
Severity ?
EPSS score ?
Summary
A guest user can perform various actions on public playbooks
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:11.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T20:20:46.702396Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T20:21:07.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.8"
},
{
"status": "unaffected",
"version": "7.9.6"
},
{
"status": "unaffected",
"version": "7.10.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Eva Sarafianou"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to\u0026nbsp;view, join, edit, export and archive public playbooks.\u003c/p\u003e"
}
],
"value": "Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to\u00a0view, join, edit, export and archive public playbooks.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-11T06:12:11.064Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 7.8.8, 7.9.5, 7.10.4 or higher. Otherwise, update the Playbooks plugin to version\u0026nbsp;v1.37.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 7.8.8, 7.9.5, 7.10.4 or higher. Otherwise, update the Playbooks plugin to version\u00a0v1.37.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00181",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52475"
],
"discovery": "INTERNAL"
},
"title": "A guest user can perform various actions on public playbooks",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-4106",
"datePublished": "2023-08-11T06:12:11.064Z",
"dateReserved": "2023-08-02T15:06:14.198Z",
"dateUpdated": "2024-10-01T20:21:07.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5339
Vulnerability from cvelistv5
Published
2023-10-17 09:30
Modified
2024-09-05 19:46
Severity ?
EPSS score ?
Summary
Mattermost Desktop logs all keystrokes during initial run after fresh installation
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:08.626Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T19:46:00.484187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T19:46:10.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "5.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Patrice Kolb"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDesktop\u0026nbsp;\u003c/span\u003efails to set an appropriate log level \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eduring initial run after fresh installation\u003c/span\u003e\u0026nbsp;resulting in logging all keystrokes\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;including password entry\u003c/span\u003e\u0026nbsp;being logged.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Mattermost Desktop\u00a0fails to set an appropriate log level during initial run after fresh installation\u00a0resulting in logging all keystrokes\u00a0including password entry\u00a0being logged.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-17T09:30:41.612Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Desktop to versions 5.5.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Desktop to versions 5.5.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00235",
"defect": [
"https://mattermost.atlassian.net/browse/MM-54169"
],
"discovery": "EXTERNAL"
},
"title": "Mattermost Desktop logs all keystrokes during initial run after fresh installation\u00a0",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-5339",
"datePublished": "2023-10-17T09:30:41.612Z",
"dateReserved": "2023-10-02T12:42:09.725Z",
"dateUpdated": "2024-09-05T19:46:10.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-28053
Vulnerability from cvelistv5
Published
2024-03-15 09:08
Modified
2024-08-12 13:40
Severity ?
EPSS score ?
Summary
Resource Exhaustion via the Invitation Feature
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:47.805Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28053",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T13:39:54.382091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T13:40:25.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.9",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.5.0"
},
{
"status": "unaffected",
"version": "8.1.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": ". (themarkib0x0)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eResource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit\u0026nbsp;the size of the payload that can be read and parsed allowing an attacker to send a\u0026nbsp;very large email payload and crash the server.\u003c/p\u003e"
}
],
"value": "Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit\u00a0the size of the payload that can be read and parsed allowing an attacker to send a\u00a0very large email payload and crash the server.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-15T09:08:04.993Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions 9.5.0, 8.1.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions 9.5.0, 8.1.10 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00287",
"defect": [
"https://mattermost.atlassian.net/browse/MM-55968"
],
"discovery": "EXTERNAL"
},
"title": "Resource Exhaustion via the Invitation Feature",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-28053",
"datePublished": "2024-03-15T09:08:04.993Z",
"dateReserved": "2024-03-14T09:38:07.478Z",
"dateUpdated": "2024-08-12T13:40:25.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3590
Vulnerability from cvelistv5
Published
2023-07-17 15:28
Modified
2024-10-21 19:43
Severity ?
EPSS score ?
Summary
Deleted attachments in Boards remain accessible
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3590",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:42:32.996082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:43:23.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "BhaRat (hackit_bharat)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost\u0026nbsp;fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.\u003c/p\u003e"
}
],
"value": "Mattermost\u00a0fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:28:50.860Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Server to versions v7.10.3 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Server to versions v7.10.3 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00174",
"defect": [
"https://mattermost.atlassian.net/browse/MM-51879"
],
"discovery": "EXTERNAL"
},
"title": "Deleted attachments in Boards remain accessible",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3590",
"datePublished": "2023-07-17T15:28:50.860Z",
"dateReserved": "2023-07-10T15:01:13.653Z",
"dateUpdated": "2024-10-21T19:43:23.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}