CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-4182
https://notcve.org/view.php?id=CVE-2024-4182
26 Apr 2024 — Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status. Las versiones Mattermost 9.6.0, 9.5.x anteriores a 9.5.3, 9.4.x anteriores a 9.4.5 y 8.1.x anteriores a 8.1.12 no pueden manejar errores de análisis JSON en valores de estado personalizados, lo que permite que un atacante autenticado se bloquee. clientes we... • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-32046 – Detailed error discloses full file path with dev mode off
https://notcve.org/view.php?id=CVE-2024-32046
26 Apr 2024 — Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored Las versiones de Mattermost 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 y 8.1.x <= 8.1.11 no eliminan mensajes de error detallados en las solicitudes de API, incluso si el desarrollador El modo está desactivado, lo q... • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-22091 – Excessive resource consumption due to lack to request path size limits
https://notcve.org/view.php?id=CVE-2024-22091
26 Apr 2024 — Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths Las versiones Mattermost 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 y 8.1.x <= 8.1.11 no limitan el tamaño de una ruta de solicitud que incluye entradas del usuario que permiten a un atacante causar un consumo excesi... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3872
https://notcve.org/view.php?id=CVE-2024-3872
16 Apr 2024 — Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link. Las versiones 2.13.0 y anteriores de la aplicación Mattermost Mobile utilizan una expresión regular con complejidad polinómica para analizar ciertos enlaces profundos, lo que permite a un atacante remoto no autenticado congelar o bloquear la aplicación a través de un en... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-2447
https://notcve.org/view.php?id=CVE-2024-2447
05 Apr 2024 — Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action. Las versiones de Mattermost 8.1.x anteriores a 8.1.11, 9.3.x anteriores a 9.3.3, 9.4.x anteriores a 9.4.4 y 9.5.x anteriores a 9.5.2 no logran autenticar la fuente de ciertos tipos de acciones de publicación, lo que permite una atacante autenticado ... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 4.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-29221 – Invite ID available to team admins even without the "Add Members" permission
https://notcve.org/view.php?id=CVE-2024-29221
05 Apr 2024 — Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins. Control de acceso inadecuado en las versiones de Mattermost Server 9.5.x anteriores a 9.5.2, 9.4.x anteriores a 9.4.4, 9.3.x anteriores ... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-28949 – DoS via a large number of User Preferences
https://notcve.org/view.php?id=CVE-2024-28949
05 Apr 2024 — Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service. Las versiones de Mattermost Server 9.5.x anteriores a 9.5.2, 9.4.x anteriores a 9.4.4, 9.3.x anteriores a 9.3.3, 8.1.x anteriores a 8.1.11 no limitan el número de preferencias de usuario que permiten a un atacante enviar un gran número de preferencias del... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21848 – Users maintain access to active call after being removed from a channel
https://notcve.org/view.php?id=CVE-2024-21848
05 Apr 2024 — Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel El control de acceso inadecuado en las versiones 8.1.x anteriores a 8.1.11 de Mattermost Server permite que un atacante que se encuentra en un canal con una llamada activa siga participando en la llamada incluso si se elimina del canal. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-2445 – Reflected XSS in Mattermost Jira plugin
https://notcve.org/view.php?id=CVE-2024-2445
15 Mar 2024 — Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server. Las versiones del complemento Mattermost Jira enviadas con las versiones 8.1.x anteriores a 8.1.10, 9.2.x anteriores a 9.2.6, 9.3.x anteriores a 9.3.2 y 9.4.x anteriores a 9.4.3... • https://mattermost.com/security-updates • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-2450
https://notcve.org/view.php?id=CVE-2024-2450
15 Mar 2024 — Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions. Las versiones de Mattermost 8.1.x anteriores a 8.1.10, 9.2.x anteriores a 9.2.6, 9.3.x anteriores a 9.3.2 y 9.4.x anteriores a 9.4.3 no verifican correctamente la propiedad de la cuenta al ca... • https://mattermost.com/security-updates • CWE-287: Improper Authentication •