CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-47865 – Username and Icon override can be used by members when Hardened Mode is enabled
https://notcve.org/view.php?id=CVE-2023-47865
27 Nov 2023 — Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a post even if the Hardened Mode setting was enabled Mattermost no verifica si el modo reforzado está habilitado al anular el nombre de usuario y/o el ícono al publicar una publicación. Si la configuración permitía que las integraciones ... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5969 – Denial of Service via Link Preview in /api/v4/redirect_location
https://notcve.org/view.php?id=CVE-2023-5969
06 Nov 2023 — Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items. Mattermost no puede sanitizar adecuadamente la solicitud a /api/v4/redirect_location, lo que permite que un atacante envíe una solicitud especialmente manipulada a /api/v4/redirect_location para llenar la memoria debido al almacenamiento en caché de elementos grandes. Mattermost fails to proper... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5968 – Password hash in response body after username update
https://notcve.org/view.php?id=CVE-2023-5968
06 Nov 2023 — Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. Mattermost no sanitiza adecuadamente el objeto de usuario al actualizar el nombre de usuario, lo que hace que el hash de la contraseña se incluya en el cuerpo de la respuesta. • https://mattermost.com/security-updates • CWE-116: Improper Encoding or Escaping of Output CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5967 – Denial of Service via crashing the Calls Plugin
https://notcve.org/view.php?id=CVE-2023-5967
06 Nov 2023 — Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin Mattermost no valida correctamente las solicitudes al complemento Calls, lo que permite que un atacante que envíe una solicitud sin un encabezado de Agente de Usuario cause pánico y bloquee el complemento Calls. • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5160 – Full name disclosure via team top membership with Show Full Name option disabled
https://notcve.org/view.php?id=CVE-2023-5160
02 Oct 2023 — Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled Mattermost no marca la opción "Show Full Name" en el endpoint /api/v4/teams/TEAM_ID/top/team_members, lo que permite a un miembro obtener el nombre completo de otro usuario incluso si la opción "Show Full Name" está deshabilitada. Mattermost fails to check the Show Full Name option at the /api/v4/teams... • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5194 – A system/user manager can demote / deactivate another manager
https://notcve.org/view.php?id=CVE-2023-5194
29 Sep 2023 — Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager Mattermost no valida correctamente los permisos al degradar y desactivar a un usuario, lo que permite que un administrador de sistema/usuario degrade/desactive a otro administrador Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5195 – A team member can soft delete other teams that they are not part of
https://notcve.org/view.php?id=CVE-2023-5195
29 Sep 2023 — Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of Mattermost no valida correctamente los permisos al eliminar temporalmente un equipo, lo que permite a un miembro del equipo eliminar temporalmente otros equipos de los que no forma parte. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5193 – System Role with manage posts permission can read posts of Direct Messages
https://notcve.org/view.php?id=CVE-2023-5193
29 Sep 2023 — Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation. Mattermost no verifica correctamente los permisos al recuperar una publicación, lo que permite un rol del sistema con permiso para administrar canales para leer las publicaciones de una conversación de DM. Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage cha... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5196 – DoS via Channel Notification Properties
https://notcve.org/view.php?id=CVE-2023-5196
29 Sep 2023 — Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users. Mattermost no aplica límites de caracteres en todos los posibles accesorios de notificación, lo que permite a un atacante enviar un valor muy largo para un notification_prop, lo que hace que el servidor consuma una canti... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5159 – A User Manager role with user edit permissions could manage/update bots
https://notcve.org/view.php?id=CVE-2023-5159
29 Sep 2023 — Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots. Mattermost no verifica adecuadamente los permisos al administrar/actualizar un bot, permitiendo una función de administrador de usuarios con permisos de edición de usuario para administrar/actualizar bots. Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •