CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-2783 – App Framework does not checks for the secret provided in the incoming webhook request
https://notcve.org/view.php?id=CVE-2023-2783
Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps. • https://mattermost.com/security-updates • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-2808 – Lack of URL normalization allows rendering previews for disallowed domains
https://notcve.org/view.php?id=CVE-2023-2808
Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link. • https://mattermost.com/security-updates • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2514 – DB username/password revealed in application logs
https://notcve.org/view.php?id=CVE-2023-2514
Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2515 – Privilege escalation to system admin via personal access tokens
https://notcve.org/view.php?id=CVE-2023-2515
Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2000 – Unrestricted navigation due to unvalidated mattermost server redirection
https://notcve.org/view.php?id=CVE-2023-2000
Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website • https://mattermost.com/security-updates • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •