CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5330 – Denial of Service via Opengraph Data Cache
https://notcve.org/view.php?id=CVE-2023-5330
09 Oct 2023 — Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. Mattermost no aplica un límite para el tamaño de la entrada de caché para los datos de OpenGraph, lo que permite a un atacante enviar una solicitud especialmente manipulada al /api/v4/opengraph, llenando el caché y haciendo que el servidor no esté disponible. Mattermost fails to enforce a... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-4478 – Parameter tampering in the registration resulting in blocked accounts to be created
https://notcve.org/view.php?id=CVE-2023-4478
25 Aug 2023 — Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. Mattermost no restringe los valores de los parámetros que toma de la solicitud durante el registro, lo que permite a un atacante registrar a los usuarios como inactivos, bloqueándoles así el acceso posterior a Mattermost sin que el administrador del sistema activ... • https://mattermost.com/security-updates • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3614 – Denial of Service via specially crafted gif image
https://notcve.org/view.php?id=CVE-2023-3614
17 Jul 2023 — Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file. Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3613 – Guest accounts invited and added to channels by Welcomebot plugin
https://notcve.org/view.php?id=CVE-2023-3613
17 Jul 2023 — Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default. Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3585 – channel DoS by sharing a boards link
https://notcve.org/view.php?id=CVE-2023-3585
17 Jul 2023 — Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2515 – Privilege escalation to system admin via personal access tokens
https://notcve.org/view.php?id=CVE-2023-2515
12 May 2023 — Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2281 – Archiving a team broadcasts unsanitized data over WebSockets
https://notcve.org/view.php?id=CVE-2023-2281
25 Apr 2023 — When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-1831 – User password logged in audit logs
https://notcve.org/view.php?id=CVE-2023-1831
17 Apr 2023 — Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-1777 – Information disclosure in linked message previews
https://notcve.org/view.php?id=CVE-2023-1777
31 Mar 2023 — Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-1776 – Stored XSS via SVG attachment on Boards
https://notcve.org/view.php?id=CVE-2023-1776
31 Mar 2023 — Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. • https://mattermost.com/security-updates • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •