CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-20621 – Webapp crash via object that can't be cast to String in Attachment Field
https://notcve.org/view.php?id=CVE-2025-20621
16 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21088 – WebApp crash via improper validation of proto style in attachments
https://notcve.org/view.php?id=CVE-2025-21088
15 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input. • https://mattermost.com/security-updates • CWE-704: Incorrect Type Conversion or Cast •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-20033 – DoS via custom post type for sysconsole plugin readers
https://notcve.org/view.php?id=CVE-2025-20033
09 Jan 2025 — Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •