CVE-2023-4106 – A guest user can perform various actions on public playbooks
https://notcve.org/view.php?id=CVE-2023-4106
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks. • https://mattermost.com/security-updates • CWE-862: Missing Authorization •
CVE-2023-4105 – Attachment of deleted message in a thread remains accessible and downloadable
https://notcve.org/view.php?id=CVE-2023-4105
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message • https://mattermost.com/security-updates • CWE-862: Missing Authorization •
CVE-2023-2785 – Specially crafted search query can cause large log entries in postgres
https://notcve.org/view.php?id=CVE-2023-2785
Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-2831 – Denial of Service while unescaping a Markdown string
https://notcve.org/view.php?id=CVE-2023-2831
Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-2797 – Path traversal in GitHub plugin's code preview feature
https://notcve.org/view.php?id=CVE-2023-2797
Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel. • https://mattermost.com/security-updates • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •