CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-24490 – SQL Injection in Mattermost Boards via board category ID reordering
https://notcve.org/view.php?id=CVE-2025-24490
24 Feb 2025 — Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reordering specially crafted boards categories. Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the datab... • https://mattermost.com/security-updates • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.9EPSS: 3%CPEs: 4EXPL: 1CVE-2025-25279 – Arbitrary file read in Mattermost Boards via import & export board archive
https://notcve.org/view.php?id=CVE-2025-25279
24 Feb 2025 — Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards. • https://github.com/numanturle/CVE-2025-25279 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1412 – Session Persistence After User-to-Bot Conversion
https://notcve.org/view.php?id=CVE-2025-1412
24 Feb 2025 — Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. • https://mattermost.com/security-updates • CWE-384: Session Fixation •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-24526 – Channel export permitted on archived channel when viewing archived channels is disabled
https://notcve.org/view.php?id=CVE-2025-24526
24 Feb 2025 — Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived cha... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0503 – Leaked User IDs and Metadata of Deleted DMs
https://notcve.org/view.php?id=CVE-2025-0503
14 Feb 2025 — Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database. • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-20630 – Mobile crash via object that can't be cast to String in Attachment Field
https://notcve.org/view.php?id=CVE-2025-20630
16 Jan 2025 — Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-20621 – Webapp crash via object that can't be cast to String in Attachment Field
https://notcve.org/view.php?id=CVE-2025-20621
16 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-20072 – Mobile crash via improper validation of proto style in attachments
https://notcve.org/view.php?id=CVE-2025-20072
16 Jan 2025 — Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input. • https://mattermost.com/security-updates • CWE-704: Incorrect Type Conversion or Cast •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0476 – Mobile crash via file with specially crafted filename
https://notcve.org/view.php?id=CVE-2025-0476
15 Jan 2025 — Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment Las versiones de aplicaciones móviles de Mattermost <=2.22.0 no pueden manejar correctamente los nombres de archivos adjuntos especialmente manipulados, lo que permite que un atacante bloquee la aplicación móvil para cualquier usuario que haya abierto un canal que contenga el arch... • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-20088 – Insufficient Input Validation on Post Props
https://notcve.org/view.php?id=CVE-2025-20088
15 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •