CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-43754 – Permalink previews displayed for posts in archived channels even if users are disallowed to view archived channels
https://notcve.org/view.php?id=CVE-2023-43754
27 Nov 2023 — Mattermost fails to check whether the “Allow users to view archived channels” setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels” setting is disabled. Mattermost no verifica si la configuración "Permitir a los usuarios ver canales archivados" está habilitada durante la visualización de vistas previas de enlaces permanentes, lo que permite a los miembros ver vistas previas de enlaces permane... • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-48369 – Log Flooding due to specially crafted requests in different endpoints
https://notcve.org/view.php?id=CVE-2023-48369
27 Nov 2023 — Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log. Mattermost no logra limitar el tamaño de los registros del servidor, lo que permite que un atacante envíe solicitudes especialmente manipuladas a diferentes endpoint para potencialmente desbordar el registro. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-40703 – Denial of Service via specially crafted block fields in Mattermost Boards
https://notcve.org/view.php?id=CVE-2023-40703
27 Nov 2023 — Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string. Mattermost no logra limitar adecuadamente los caracteres permitidos en diferentes campos de un bloque en Mattermost Boards, lo que permite a un atacante consumir recursos excesivos, lo que posiblemente lleve a una Denegación de Servicio, al par... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-48268 – Denial of Service via Board Import Zip Bomb
https://notcve.org/view.php?id=CVE-2023-48268
27 Nov 2023 — Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb). Mattermost no limita la cantidad de datos extraídos de archivos comprimidos durante la importación de tableros en Mattermost Boards, lo que permite a un atacante consumir recursos excesivos, lo que posiblemente lleve a una denegación de... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5969 – Denial of Service via Link Preview in /api/v4/redirect_location
https://notcve.org/view.php?id=CVE-2023-5969
06 Nov 2023 — Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items. Mattermost no puede sanitizar adecuadamente la solicitud a /api/v4/redirect_location, lo que permite que un atacante envíe una solicitud especialmente manipulada a /api/v4/redirect_location para llenar la memoria debido al almacenamiento en caché de elementos grandes. Mattermost fails to proper... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5968 – Password hash in response body after username update
https://notcve.org/view.php?id=CVE-2023-5968
06 Nov 2023 — Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. Mattermost no sanitiza adecuadamente el objeto de usuario al actualizar el nombre de usuario, lo que hace que el hash de la contraseña se incluya en el cuerpo de la respuesta. • https://mattermost.com/security-updates • CWE-116: Improper Encoding or Escaping of Output CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •