CVE-2023-5969 – Denial of Service via Link Preview in /api/v4/redirect_location
https://notcve.org/view.php?id=CVE-2023-5969
Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items. Mattermost no puede sanitizar adecuadamente la solicitud a /api/v4/redirect_location, lo que permite que un atacante envíe una solicitud especialmente manipulada a /api/v4/redirect_location para llenar la memoria debido al almacenamiento en caché de elementos grandes. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-5968 – Password hash in response body after username update
https://notcve.org/view.php?id=CVE-2023-5968
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. Mattermost no sanitiza adecuadamente el objeto de usuario al actualizar el nombre de usuario, lo que hace que el hash de la contraseña se incluya en el cuerpo de la respuesta. • https://mattermost.com/security-updates • CWE-116: Improper Encoding or Escaping of Output CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-5967 – Denial of Service via crashing the Calls Plugin
https://notcve.org/view.php?id=CVE-2023-5967
Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin Mattermost no valida correctamente las solicitudes al complemento Calls, lo que permite que un atacante que envíe una solicitud sin un encabezado de Agente de Usuario cause pánico y bloquee el complemento Calls. • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVE-2023-5920 – Lack Of Secure Keyboard Entry Protection in MacOS Desktop
https://notcve.org/view.php?id=CVE-2023-5920
Mattermost Desktop for MacOS fails to utilize the secure keyboard input functionality provided by macOS, allowing for other processes to read the keyboard input. Mattermost Desktop para MacOS no utiliza la funcionalidad de entrada de teclado segura proporcionada por macOS, lo que permite que otros procesos lean la entrada del teclado. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-5875 – Lack of Hardening against media exploitation from a remote origin
https://notcve.org/view.php?id=CVE-2023-5875
Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server Mattermost Desktop no maneja correctamente los permisos ni solicita el consentimiento del usuario en ciertos permisos confidenciales, lo que permite la explotación de medios desde un servidor de Mattermost malicioso. • https://mattermost.com/security-updates • CWE-693: Protection Mechanism Failure •