CVE-2023-3586 – Disabling publicly-shared boards does not disable existing publicly available board links
https://notcve.org/view.php?id=CVE-2023-3586
Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVE-2023-3585 – channel DoS by sharing a boards link
https://notcve.org/view.php?id=CVE-2023-3585
Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-3584 – Member can create team with team override scheme
https://notcve.org/view.php?id=CVE-2023-3584
Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVE-2023-3582 – Lack of channel membership check when linking a board to a channel
https://notcve.org/view.php?id=CVE-2023-3582
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVE-2023-3581 – WebSockets accept connections from HTTPS origin
https://notcve.org/view.php?id=CVE-2023-3581
Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. • https://mattermost.com/security-updates • CWE-346: Origin Validation Error •