CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5330 – Denial of Service via Opengraph Data Cache
https://notcve.org/view.php?id=CVE-2023-5330
Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. Mattermost no aplica un límite para el tamaño de la entrada de caché para los datos de OpenGraph, lo que permite a un atacante enviar una solicitud especialmente manipulada al /api/v4/opengraph, llenando el caché y haciendo que el servidor no esté disponible. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5160 – Full name disclosure via team top membership with Show Full Name option disabled
https://notcve.org/view.php?id=CVE-2023-5160
Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled Mattermost no marca la opción "Show Full Name" en el endpoint /api/v4/teams/TEAM_ID/top/team_members, lo que permite a un miembro obtener el nombre completo de otro usuario incluso si la opción "Show Full Name" está deshabilitada. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5194 – A system/user manager can demote / deactivate another manager
https://notcve.org/view.php?id=CVE-2023-5194
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager Mattermost no valida correctamente los permisos al degradar y desactivar a un usuario, lo que permite que un administrador de sistema/usuario degrade/desactive a otro administrador • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5195 – A team member can soft delete other teams that they are not part of
https://notcve.org/view.php?id=CVE-2023-5195
Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of Mattermost no valida correctamente los permisos al eliminar temporalmente un equipo, lo que permite a un miembro del equipo eliminar temporalmente otros equipos de los que no forma parte. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5193 – System Role with manage posts permission can read posts of Direct Messages
https://notcve.org/view.php?id=CVE-2023-5193
Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation. Mattermost no verifica correctamente los permisos al recuperar una publicación, lo que permite un rol del sistema con permiso para administrar canales para leer las publicaciones de una conversación de DM. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •