CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5196 – DoS via Channel Notification Properties
https://notcve.org/view.php?id=CVE-2023-5196
Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users. Mattermost no aplica límites de caracteres en todos los posibles accesorios de notificación, lo que permite a un atacante enviar un valor muy largo para un notification_prop, lo que hace que el servidor consuma una cantidad anormal de recursos informáticos y posiblemente deje de estar disponible temporalmente para sus usuarios. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5159 – A User Manager role with user edit permissions could manage/update bots
https://notcve.org/view.php?id=CVE-2023-5159
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots. Mattermost no verifica adecuadamente los permisos al administrar/actualizar un bot, permitiendo una función de administrador de usuarios con permisos de edición de usuario para administrar/actualizar bots. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 0CVE-2023-4478 – Parameter tampering in the registration resulting in blocked accounts to be created
https://notcve.org/view.php?id=CVE-2023-4478
Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. Mattermost no restringe los valores de los parámetros que toma de la solicitud durante el registro, lo que permite a un atacante registrar a los usuarios como inactivos, bloqueándoles así el acceso posterior a Mattermost sin que el administrador del sistema active sus cuentas. • https://mattermost.com/security-updates • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-4108 – Audit logging fails to sanitize post metadata
https://notcve.org/view.php?id=CVE-2023-4108
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged • https://mattermost.com/security-updates • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.7EPSS: 0%CPEs: 3EXPL: 0CVE-2023-4107 – Incorrect authorization allows a user manager to update a system admin
https://notcve.org/view.php?id=CVE-2023-4107
Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •