CVE-2023-5330 – Denial of Service via Opengraph Data Cache
https://notcve.org/view.php?id=CVE-2023-5330
Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. Mattermost no aplica un límite para el tamaño de la entrada de caché para los datos de OpenGraph, lo que permite a un atacante enviar una solicitud especialmente manipulada al /api/v4/opengraph, llenando el caché y haciendo que el servidor no esté disponible. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-4478 – Parameter tampering in the registration resulting in blocked accounts to be created
https://notcve.org/view.php?id=CVE-2023-4478
Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. Mattermost no restringe los valores de los parámetros que toma de la solicitud durante el registro, lo que permite a un atacante registrar a los usuarios como inactivos, bloqueándoles así el acceso posterior a Mattermost sin que el administrador del sistema active sus cuentas. • https://mattermost.com/security-updates • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2023-3614 – Denial of Service via specially crafted gif image
https://notcve.org/view.php?id=CVE-2023-3614
Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-3613 – Guest accounts invited and added to channels by Welcomebot plugin
https://notcve.org/view.php?id=CVE-2023-3613
Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVE-2023-3585 – channel DoS by sharing a boards link
https://notcve.org/view.php?id=CVE-2023-3585
Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •