CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43105 – Excessive Resource Consumption via `/export`
https://notcve.org/view.php?id=CVE-2024-43105
23 Aug 2024 — Mattermost Plugin Channel Export versions <=1.0.0 fail to restrict concurrent runs of the /export command which allows a user to consume excessive resource by running the /export command multiple times at once. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-43780 – Unauthorized channel file upload
https://notcve.org/view.php?id=CVE-2024-43780
22 Aug 2024 — Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-42497 – Insufficient permissions checks on teams
https://notcve.org/view.php?id=CVE-2024-42497
22 Aug 2024 — Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 3.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-40884 – Unauthorized disabling of invite URL
https://notcve.org/view.php?id=CVE-2024-40884
22 Aug 2024 — Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8071 – System Role with edit access to permissions can elevate themselves to system admin
https://notcve.org/view.php?id=CVE-2024-8071
22 Aug 2024 — Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission, effectively becoming a System Admin. Las versiones de Mattermost 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 y 9.8.x <= 9.8.2 no restringen qué roles pueden promover a un usuar... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-42411 – User creation date manipulation in POST /api/v4/users
https://notcve.org/view.php?id=CVE-2024-42411
22 Aug 2024 — Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to restrict the input in POST /api/v4/users which allows a user to manipulate the creation date in POST /api/v4/users tricking the admin into believing their account is much older. Las versiones de Mattermost 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 no pueden restringir la entrada en POST /api/v4/users lo que permite a un usuario manipular la fecha de creación en POST /api/v4/users e... • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-40886 – One-click Client-Side Path Traversal Leading to CSRF in User Management admin page
https://notcve.org/view.php?id=CVE-2024-40886
22 Aug 2024 — Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system console. Las versiones de Mattermost 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 no desinfectan las entradas del usuario en la interfaz que se utilizan para la redirección lo que permite path traversal... • https://mattermost.com/security-updates • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43813 – IDOR when marking read a user's channel
https://notcve.org/view.php?id=CVE-2024-43813
22 Aug 2024 — Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user. Las versiones 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 de Mattermost no aplican controles de acceso adecuados que permiten a cualquier usuario autenticado, incluidos los invitados, marcar cualquier canal dentro de cualquier equipo como leído para cualquier usuario. Mattermost versions 9.5.x <= 9.5.7, 9.10.x ... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39810 – Server crash via Elasticsearch certificate file
https://notcve.org/view.php?id=CVE-2024-39810
22 Aug 2024 — Mattermost versions 9.5.x <= 9.5.7 and 9.10.x <= 9.10.0 fail to time limit and size limit the CA path file in the ElasticSearch configuration which allows a System Role with access to the Elasticsearch system console to add any file as a CA path field, such as /dev/zero and, after testing the connection, cause the application to crash. Las versiones 9.5.x <= 9.5.7 y 9.10.x <= 9.10.0 de Mattermost no limitan el tiempo ni el tamaño del archivo de ruta de CA en la configuración de ElasticSearch, lo que p... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-32939 – Email addresses of remote users visible in props regardless of server settings
https://notcve.org/view.php?id=CVE-2024-32939
22 Aug 2024 — Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server." Las versiones de Mattermost 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, cuando los canales compartidos están habilitados, no se pueden redactar las direcciones de correo electrónico originales de l... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •