CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3577 – Limited blind SSRF to localhost/intranet in interactive dialog implementation
https://notcve.org/view.php?id=CVE-2023-3577
Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. • https://mattermost.com/security-updates • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2785 – Specially crafted search query can cause large log entries in postgres
https://notcve.org/view.php?id=CVE-2023-2785
Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2831 – Denial of Service while unescaping a Markdown string
https://notcve.org/view.php?id=CVE-2023-2831
Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-2797 – Path traversal in GitHub plugin's code preview feature
https://notcve.org/view.php?id=CVE-2023-2797
Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel. • https://mattermost.com/security-updates • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-2793 – Stack exhaustion in PreparePostForClientWithEmbedsAndImages
https://notcve.org/view.php?id=CVE-2023-2793
Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •