CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-4195
https://notcve.org/view.php?id=CVE-2024-4195
26 Apr 2024 — Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests. Las versiones Mattermost 9.6.0, 9.5.x anteriores a 9.5.3 y 8.1.x anteriores a 8.1.12 no logran validar completamente los cambios de roles, lo que permite a un atacante autenticado como administrador de equipo ascender a invitados a administradores de equipo a través de solicitudes HTTP ma... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-4183
https://notcve.org/view.php?id=CVE-2024-4183
26 Apr 2024 — Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table. Las versiones de Mattermost 8.1.x anteriores a 8.1.12, 9.6.x anteriores a 9.6.1, 9.5.x anteriores a 9.5.3, 9.4.x anteriores a 9.4.5 no limitan el número de sesiones activas, lo que permite que un atacante autenticado falle el se... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-4182
https://notcve.org/view.php?id=CVE-2024-4182
26 Apr 2024 — Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status. Las versiones Mattermost 9.6.0, 9.5.x anteriores a 9.5.3, 9.4.x anteriores a 9.4.5 y 8.1.x anteriores a 8.1.12 no pueden manejar errores de análisis JSON en valores de estado personalizados, lo que permite que un atacante autenticado se bloquee. clientes we... • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-32046 – Detailed error discloses full file path with dev mode off
https://notcve.org/view.php?id=CVE-2024-32046
26 Apr 2024 — Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored Las versiones de Mattermost 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 y 8.1.x <= 8.1.11 no eliminan mensajes de error detallados en las solicitudes de API, incluso si el desarrollador El modo está desactivado, lo q... • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-22091 – Excessive resource consumption due to lack to request path size limits
https://notcve.org/view.php?id=CVE-2024-22091
26 Apr 2024 — Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths Las versiones Mattermost 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 y 8.1.x <= 8.1.11 no limitan el tamaño de una ruta de solicitud que incluye entradas del usuario que permiten a un atacante causar un consumo excesi... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-2447
https://notcve.org/view.php?id=CVE-2024-2447
05 Apr 2024 — Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action. Las versiones de Mattermost 8.1.x anteriores a 8.1.11, 9.3.x anteriores a 9.3.3, 9.4.x anteriores a 9.4.4 y 9.5.x anteriores a 9.5.2 no logran autenticar la fuente de ciertos tipos de acciones de publicación, lo que permite una atacante autenticado ... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 4.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-29221 – Invite ID available to team admins even without the "Add Members" permission
https://notcve.org/view.php?id=CVE-2024-29221
05 Apr 2024 — Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins. Control de acceso inadecuado en las versiones de Mattermost Server 9.5.x anteriores a 9.5.2, 9.4.x anteriores a 9.4.4, 9.3.x anteriores ... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-28949 – DoS via a large number of User Preferences
https://notcve.org/view.php?id=CVE-2024-28949
05 Apr 2024 — Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service. Las versiones de Mattermost Server 9.5.x anteriores a 9.5.2, 9.4.x anteriores a 9.4.4, 9.3.x anteriores a 9.3.3, 8.1.x anteriores a 8.1.11 no limitan el número de preferencias de usuario que permiten a un atacante enviar un gran número de preferencias del... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-2445 – Reflected XSS in Mattermost Jira plugin
https://notcve.org/view.php?id=CVE-2024-2445
15 Mar 2024 — Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server. Las versiones del complemento Mattermost Jira enviadas con las versiones 8.1.x anteriores a 8.1.10, 9.2.x anteriores a 9.2.6, 9.3.x anteriores a 9.3.2 y 9.4.x anteriores a 9.4.3... • https://mattermost.com/security-updates • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-2450
https://notcve.org/view.php?id=CVE-2024-2450
15 Mar 2024 — Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions. Las versiones de Mattermost 8.1.x anteriores a 8.1.10, 9.2.x anteriores a 9.2.6, 9.3.x anteriores a 9.3.2 y 9.4.x anteriores a 9.4.3 no verifican correctamente la propiedad de la cuenta al ca... • https://mattermost.com/security-updates • CWE-287: Improper Authentication •