6 results (0.041 seconds)

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin. • https://mattermost.com/security-updates • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •

CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests • https://mattermost.com/security-updates • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 0

Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration. Las versiones de Mattermost 10.0.x &lt;= 10.0.1, 10.1.x &lt;= 10.1.1, 9.11.x &lt;= 9.11.3, 9.5.x &lt;= 9.5.11 no logran validar correctamente las direcciones de correo electrónico, lo que permite que un usuario no autenticado eluda las restricciones de dominio de correo electrónico mediante una entrada cuidadosamente manipulada en el registro de correo electrónico. • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels names of channels that they are not a member of, when Elasticsearch v8 was enabled. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •