CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-4105 – Attachment of deleted message in a thread remains accessible and downloadable
https://notcve.org/view.php?id=CVE-2023-4105
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message • https://mattermost.com/security-updates • CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3615 – Lack of server certificate validation in websockets connection
https://notcve.org/view.php?id=CVE-2023-3615
Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. • https://mattermost.com/security-updates • CWE-295: Improper Certificate Validation •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2785 – Specially crafted search query can cause large log entries in postgres
https://notcve.org/view.php?id=CVE-2023-2785
Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2831 – Denial of Service while unescaping a Markdown string
https://notcve.org/view.php?id=CVE-2023-2831
Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-2797 – Path traversal in GitHub plugin's code preview feature
https://notcve.org/view.php?id=CVE-2023-2797
Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel. • https://mattermost.com/security-updates • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •