CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6547 – Playbooks access/modification by removed team member
https://notcve.org/view.php?id=CVE-2023-6547
12 Dec 2023 — Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team. Mattermost no valida la membresía del equipo cuando un usuario intenta acceder a un playbook, lo que permite que un usuario con permisos para un playbook pero sin pe... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-49607 – Playbook plugin crash via missing interface type assertion
https://notcve.org/view.php?id=CVE-2023-49607
12 Dec 2023 — Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. Mattermost no logra validar el tipo de parámetro de solicitud del cuerpo "recordatorio", lo que permite a un atacante bloquear el complemento Playbook al actualizar el cuadro de diálogo de estado. • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-49809 – Todo plugin gets crashed and disabled by member
https://notcve.org/view.php?id=CVE-2023-49809
12 Dec 2023 — Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled. Mattermost no logra manejar un cuerpo de solicitud nulo en el endpoint /add, lo que permite que un miembro simple envíe una solicitud con un cuerpo de solicitud nulo a ese endpoint y haga que falle. Después de algunas repeticiones, el complemento se desactiva. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-46701 – Inaccessible Post Information Leak via Run Timeline IDOR
https://notcve.org/view.php?id=CVE-2023-46701
12 Dec 2023 — Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID Mattermost no realiza comprobaciones de autorización en el endpoint /plugins/playbooks/api/v0/runs/add-to-timeline-dialog del complemento Playbooks, lo que permite a un atacante obtener información limitada sobre una publicación si conoce el ID de la publicación. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-49874 – IDOR when updating the tasks of a private playbook run
https://notcve.org/view.php?id=CVE-2023-49874
12 Dec 2023 — Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID. Mattermost no verifica si un usuario es un invitado al actualizar las tareas de una ejecución de un playbook privado, lo que permite a un invitado actualizar las tareas de una ejecución de un playbook privado si conoce el ID de la ejecución. Mattermost fails to check whether a user is a guest when updating the tasks of a... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-45847 – Playbook Plugin Crash via Run Checklist
https://notcve.org/view.php?id=CVE-2023-45847
12 Dec 2023 — Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin Mattermost no verifica la longitud al configurar el título en una lista de verificación de ejecución en Playbooks, lo que permite a un atacante enviar una solicitud especialmente manipulada y bloquear el complemento de Playbooks. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6459 – Public endpoint /metrics of Calls plugin reveals channel IDs
https://notcve.org/view.php?id=CVE-2023-6459
06 Dec 2023 — Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs. Mattermost agrupa llamadas en el endpoint /metrics por identificación e informar esa identificación en la respuesta. Dado que esta identificación es la ID del canal, el endpoint público /metrics revela los ID de los canales. Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6458 – Client side path traversal due to lack of route parameters validation
https://notcve.org/view.php?id=CVE-2023-6458
06 Dec 2023 — Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. La aplicación web Mattermost no puede validar los parámetros de ruta en//channels/, lo que permite a un atacante realizar un path traversal del lado del cliente. Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. • https://mattermost.com/security-updates • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5333 – Denial of Service via multiple identical User IDs in /api/v4/users/ids
https://notcve.org/view.php?id=CVE-2023-5333
09 Oct 2023 — Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. Mattermost no logra desdoblar los ID de entrada, lo que permite que un simple usuario haga que la aplicación consuma recursos excesivos y posiblemente falle al enviar una solicitud especialmente manipulada a /api/v4/users/ids con múltiples ID idénticos. Mattermost fails to deduplica... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5331 – File Information Leak via IDOR in file_id in Draft Posts
https://notcve.org/view.php?id=CVE-2023-5331
09 Oct 2023 — Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information. Mattermost no verifica adecuadamente el creador de un archivo adjunto al agregar el fichero a un borrador de publicación, lo que potencialmente expone información del archivo no autorizada. Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information. • https://mattermost.com/security-updates • CWE-862: Missing Authorization •