CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5330 – Denial of Service via Opengraph Data Cache
https://notcve.org/view.php?id=CVE-2023-5330
09 Oct 2023 — Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. Mattermost no aplica un límite para el tamaño de la entrada de caché para los datos de OpenGraph, lo que permite a un atacante enviar una solicitud especialmente manipulada al /api/v4/opengraph, llenando el caché y haciendo que el servidor no esté disponible. Mattermost fails to enforce a... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-4478 – Parameter tampering in the registration resulting in blocked accounts to be created
https://notcve.org/view.php?id=CVE-2023-4478
25 Aug 2023 — Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. Mattermost no restringe los valores de los parámetros que toma de la solicitud durante el registro, lo que permite a un atacante registrar a los usuarios como inactivos, bloqueándoles así el acceso posterior a Mattermost sin que el administrador del sistema activ... • https://mattermost.com/security-updates • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3593 – Server crash via a specially crafted markdown input
https://notcve.org/view.php?id=CVE-2023-3593
17 Jul 2023 — Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3614 – Denial of Service via specially crafted gif image
https://notcve.org/view.php?id=CVE-2023-3614
17 Jul 2023 — Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file. Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3613 – Guest accounts invited and added to channels by Welcomebot plugin
https://notcve.org/view.php?id=CVE-2023-3613
17 Jul 2023 — Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default. Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3591 – Lack of previous password reset tokens on new token creation
https://notcve.org/view.php?id=CVE-2023-3591
17 Jul 2023 — Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created. • https://mattermost.com/security-updates • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3590 – Deleted attachments in Boards remain accessible
https://notcve.org/view.php?id=CVE-2023-3590
17 Jul 2023 — Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments. Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 3.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3587 – Inconsistent state in UI after boards permission change by system admin
https://notcve.org/view.php?id=CVE-2023-3587
17 Jul 2023 — Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions. • https://mattermost.com/security-updates • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3586 – Disabling publicly-shared boards does not disable existing publicly available board links
https://notcve.org/view.php?id=CVE-2023-3586
17 Jul 2023 — Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible. Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3585 – channel DoS by sharing a boards link
https://notcve.org/view.php?id=CVE-2023-3585
17 Jul 2023 — Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •