CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-2808 – Lack of URL normalization allows rendering previews for disallowed domains
https://notcve.org/view.php?id=CVE-2023-2808
29 May 2023 — Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link. • https://mattermost.com/security-updates • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2514 – DB username/password revealed in application logs
https://notcve.org/view.php?id=CVE-2023-2514
12 May 2023 — Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2193 – Oauth authorization codes do not expire when deauthorizing an oauth2 app
https://notcve.org/view.php?id=CVE-2023-2193
20 Apr 2023 — Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token. • https://mattermost.com/security-updates • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1562 – Full name revealed via /plugins/focalboard/api/v2/users
https://notcve.org/view.php?id=CVE-2023-1562
22 Mar 2023 — Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-27264 – IDOR: Updating a playbook via the Playbooks API
https://notcve.org/view.php?id=CVE-2023-27264
27 Feb 2023 — A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API. • https://mattermost.com/security-updates • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-27263 – IDOR: Accessing playbook runs via the Playbooks Runs API
https://notcve.org/view.php?id=CVE-2023-27263
27 Feb 2023 — A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of. • https://mattermost.com/security-updates • CWE-862: Missing Authorization •