CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-48268 – Denial of Service via Board Import Zip Bomb
https://notcve.org/view.php?id=CVE-2023-48268
27 Nov 2023 — Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb). Mattermost no limita la cantidad de datos extraídos de archivos comprimidos durante la importación de tableros en Mattermost Boards, lo que permite a un atacante consumir recursos excesivos, lo que posiblemente lleve a una denegación de... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-45223 – Users full name disclosure through Mattermost Boards with Show Full Name Option disabled
https://notcve.org/view.php?id=CVE-2023-45223
27 Nov 2023 — Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled. Mattermost no valida correctamente la opción "Mostrar nombre completo" en algunos endpoint de los tableros de Mattermost, lo que permite a un miembro obtener el nombre completo de otro usuario incluso si la opción Show Full Name estaba deshabilitada. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-47865 – Username and Icon override can be used by members when Hardened Mode is enabled
https://notcve.org/view.php?id=CVE-2023-47865
27 Nov 2023 — Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a post even if the Hardened Mode setting was enabled Mattermost no verifica si el modo reforzado está habilitado al anular el nombre de usuario y/o el ícono al publicar una publicación. Si la configuración permitía que las integraciones ... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5969 – Denial of Service via Link Preview in /api/v4/redirect_location
https://notcve.org/view.php?id=CVE-2023-5969
06 Nov 2023 — Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items. Mattermost no puede sanitizar adecuadamente la solicitud a /api/v4/redirect_location, lo que permite que un atacante envíe una solicitud especialmente manipulada a /api/v4/redirect_location para llenar la memoria debido al almacenamiento en caché de elementos grandes. Mattermost fails to proper... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5968 – Password hash in response body after username update
https://notcve.org/view.php?id=CVE-2023-5968
06 Nov 2023 — Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. Mattermost no sanitiza adecuadamente el objeto de usuario al actualizar el nombre de usuario, lo que hace que el hash de la contraseña se incluya en el cuerpo de la respuesta. • https://mattermost.com/security-updates • CWE-116: Improper Encoding or Escaping of Output CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5967 – Denial of Service via crashing the Calls Plugin
https://notcve.org/view.php?id=CVE-2023-5967
06 Nov 2023 — Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin Mattermost no valida correctamente las solicitudes al complemento Calls, lo que permite que un atacante que envíe una solicitud sin un encabezado de Agente de Usuario cause pánico y bloquee el complemento Calls. • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5522 – Mobile app freezes when receiving a post with hundreds of emojis
https://notcve.org/view.php?id=CVE-2023-5522
17 Oct 2023 — Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel. Mattermost Mobile no limita la cantidad máxima de elementos Markdown en una publicación, lo que permite a un atacante enviar una publicación con cientos de emojis a un canal y congelar la aplicación móvil de los usuarios cuando ven ese canal en particular. Mattermost Mobile fails to... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3615 – Lack of server certificate validation in websockets connection
https://notcve.org/view.php?id=CVE-2023-3615
17 Jul 2023 — Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. • https://mattermost.com/security-updates • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2514 – DB username/password revealed in application logs
https://notcve.org/view.php?id=CVE-2023-2514
12 May 2023 — Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1562 – Full name revealed via /plugins/focalboard/api/v2/users
https://notcve.org/view.php?id=CVE-2023-1562
22 Mar 2023 — Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •