CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5195 – A team member can soft delete other teams that they are not part of
https://notcve.org/view.php?id=CVE-2023-5195
29 Sep 2023 — Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of Mattermost no valida correctamente los permisos al eliminar temporalmente un equipo, lo que permite a un miembro del equipo eliminar temporalmente otros equipos de los que no forma parte. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5193 – System Role with manage posts permission can read posts of Direct Messages
https://notcve.org/view.php?id=CVE-2023-5193
29 Sep 2023 — Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation. Mattermost no verifica correctamente los permisos al recuperar una publicación, lo que permite un rol del sistema con permiso para administrar canales para leer las publicaciones de una conversación de DM. Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage cha... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5196 – DoS via Channel Notification Properties
https://notcve.org/view.php?id=CVE-2023-5196
29 Sep 2023 — Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users. Mattermost no aplica límites de caracteres en todos los posibles accesorios de notificación, lo que permite a un atacante enviar un valor muy largo para un notification_prop, lo que hace que el servidor consuma una canti... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5159 – A User Manager role with user edit permissions could manage/update bots
https://notcve.org/view.php?id=CVE-2023-5159
29 Sep 2023 — Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots. Mattermost no verifica adecuadamente los permisos al administrar/actualizar un bot, permitiendo una función de administrador de usuarios con permisos de edición de usuario para administrar/actualizar bots. Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3615 – Lack of server certificate validation in websockets connection
https://notcve.org/view.php?id=CVE-2023-3615
17 Jul 2023 — Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. • https://mattermost.com/security-updates • CWE-295: Improper Certificate Validation •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2785 – Specially crafted search query can cause large log entries in postgres
https://notcve.org/view.php?id=CVE-2023-2785
16 Jun 2023 — Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2831 – Denial of Service while unescaping a Markdown string
https://notcve.org/view.php?id=CVE-2023-2831
16 Jun 2023 — Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-2797 – Path traversal in GitHub plugin's code preview feature
https://notcve.org/view.php?id=CVE-2023-2797
16 Jun 2023 — Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel. • https://mattermost.com/security-updates • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2792 – Ephemeral messages return private channel contents in permalink previews
https://notcve.org/view.php?id=CVE-2023-2792
16 Jun 2023 — Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.7EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2788 – Deactivated user can retain access using oauth2 api
https://notcve.org/view.php?id=CVE-2023-2788
16 Jun 2023 — Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated. • https://mattermost.com/security-updates • CWE-613: Insufficient Session Expiration CWE-862: Missing Authorization •