CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-20086 – Insufficient Input Validation on Post Props
https://notcve.org/view.php?id=CVE-2025-20086
15 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21088 – WebApp crash via improper validation of proto style in attachments
https://notcve.org/view.php?id=CVE-2025-21088
15 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input. • https://mattermost.com/security-updates • CWE-704: Incorrect Type Conversion or Cast •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22445 – Misleading UI for undefined admin console settings in Calls causes security confusion
https://notcve.org/view.php?id=CVE-2025-22445
09 Jan 2025 — Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting. • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-20033 – DoS via custom post type for sysconsole plugin readers
https://notcve.org/view.php?id=CVE-2025-20033
09 Jan 2025 — Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-54682 – Zipbomb DoS via Missing Slack Import Validation
https://notcve.org/view.php?id=CVE-2024-54682
16 Dec 2024 — Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin. Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin. • https://mattermost.com/security-updates • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-54083 – DoS via lack of type validation in Calls
https://notcve.org/view.php?id=CVE-2024-54083
16 Dec 2024 — Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post. Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels,... • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-48872 – Bypass of "Max failed attempts" restriction via race condition
https://notcve.org/view.php?id=CVE-2024-48872
16 Dec 2024 — Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed ... • https://mattermost.com/security-updates • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11599 – Domain Restriction Bypass on Registration
https://notcve.org/view.php?id=CVE-2024-11599
28 Nov 2024 — Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration. Las versiones de Mattermost 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 no logran validar correctamente las direcciones de correo electrónico, lo que permite que un usuario no autenticado eluda las restricciones de dom... • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52032 – Private channel names leaking when Elasticsearch is enabled
https://notcve.org/view.php?id=CVE-2024-52032
09 Nov 2024 — Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels names of channels that they are not a member of, when Elasticsearch v8 was enabled. Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels names of channels that they ... • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-42000 – Unauthorized Access to view channels' details
https://notcve.org/view.php?id=CVE-2024-42000
09 Nov 2024 — Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to /api/v4/channels. Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •