CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-28949 – DoS via a large number of User Preferences
https://notcve.org/view.php?id=CVE-2024-28949
05 Apr 2024 — Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service. Las versiones de Mattermost Server 9.5.x anteriores a 9.5.2, 9.4.x anteriores a 9.4.4, 9.3.x anteriores a 9.3.3, 8.1.x anteriores a 8.1.11 no limitan el número de preferencias de usuario que permiten a un atacante enviar un gran número de preferencias del... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21848 – Users maintain access to active call after being removed from a channel
https://notcve.org/view.php?id=CVE-2024-21848
05 Apr 2024 — Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel El control de acceso inadecuado en las versiones 8.1.x anteriores a 8.1.11 de Mattermost Server permite que un atacante que se encuentra en un canal con una llamada activa siga participando en la llamada incluso si se elimina del canal. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-2445 – Reflected XSS in Mattermost Jira plugin
https://notcve.org/view.php?id=CVE-2024-2445
15 Mar 2024 — Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server. Las versiones del complemento Mattermost Jira enviadas con las versiones 8.1.x anteriores a 8.1.10, 9.2.x anteriores a 9.2.6, 9.3.x anteriores a 9.3.2 y 9.4.x anteriores a 9.4.3... • https://mattermost.com/security-updates • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-2450
https://notcve.org/view.php?id=CVE-2024-2450
15 Mar 2024 — Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions. Las versiones de Mattermost 8.1.x anteriores a 8.1.10, 9.2.x anteriores a 9.2.6, 9.3.x anteriores a 9.3.2 y 9.4.x anteriores a 9.4.3 no verifican correctamente la propiedad de la cuenta al ca... • https://mattermost.com/security-updates • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-2446
https://notcve.org/view.php?id=CVE-2024-2446
15 Mar 2024 — Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages. Las versiones de Mattermost 8.1.x anteriores a 8.1.10, 9.2.x anteriores a 9.2.6, 9.3.x anteriores a 9.3.2 y 9.4.x anteriores a 9.4.3 no limitan el número de @menciones procesadas por mensaje, lo que permite un atacante autenticado par... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28053 – Resource Exhaustion via the Invitation Feature
https://notcve.org/view.php?id=CVE-2024-28053
15 Mar 2024 — Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server. El agotamiento de recursos en las versiones 8.1.x anteriores a 8.1.10 de Mattermost Server no limita el tamaño del payload que se puede leer y analizar, lo que permite a un atacante enviar un payload de correo electrónico muy grande y bloquear el servidor. Resource Exhaustion in Mattermost Server... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24975 – Denial of Service for mobile app users due to automatic code highlighting
https://notcve.org/view.php?id=CVE-2024-24975
15 Mar 2024 — Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a very large code block and crash the mobile app. El consumo incontrolado de recursos en las versiones de Mattermost Mobile anteriores a la 2.13.0 no limita el tamaño del bloque de código que será procesado por el resaltador de sintaxis, lo que permite a un atacante enviar un bloque de código muy grande y bloque... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1953
https://notcve.org/view.php?id=CVE-2024-1953
29 Feb 2024 — Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request. Las versiones de Mattermost 8.1.x anteriores a 8.1.9, 9.2.x anteriores a 9.2.5, 9.3.0 y 9.4.x anteriores a 9.4.2 no limitan el número de nombres de roles solicitados desde la API, lo que permite a un atacante autenticado provocar... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1952
https://notcve.org/view.php?id=CVE-2024-1952
29 Feb 2024 — Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of. La versión 8.1.x anterior a la 8.1.9 de Mattermost no sanitiza los datos asociados con los enlaces permanentes cuando un complemento actualiza una publicación efímera, lo que permite a un atacante autenticado que puede controlar la... • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 2.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1949
https://notcve.org/view.php?id=CVE-2024-1949
29 Feb 2024 — A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts. Una condición de ejecución en las versiones 8.1.x anteriores a 8.1.9 y 9.4.x anteriores a 9.4.2 de Mattermost permite a un atacante autenticado obtener acceso no autorizado al contenido de publicaciones individuales mediante una creación de publicaciones cuidadosamente ... • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •