CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3614 – Denial of Service via specially crafted gif image
https://notcve.org/view.php?id=CVE-2023-3614
Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3613 – Guest accounts invited and added to channels by Welcomebot plugin
https://notcve.org/view.php?id=CVE-2023-3613
Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3591 – Lack of previous password reset tokens on new token creation
https://notcve.org/view.php?id=CVE-2023-3591
Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created. • https://mattermost.com/security-updates • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3590 – Deleted attachments in Boards remain accessible
https://notcve.org/view.php?id=CVE-2023-3590
Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 2.7EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3587 – Inconsistent state in UI after boards permission change by system admin
https://notcve.org/view.php?id=CVE-2023-3587
Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions. • https://mattermost.com/security-updates • CWE-862: Missing Authorization •