CVE-2023-2786 – Channel commands execution doesn't properly verify permissions
https://notcve.org/view.php?id=CVE-2023-2786
Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands. • https://mattermost.com/security-updates • CWE-862: Missing Authorization •
CVE-2023-2808 – Lack of URL normalization allows rendering previews for disallowed domains
https://notcve.org/view.php?id=CVE-2023-2808
Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link. • https://mattermost.com/security-updates • CWE-20: Improper Input Validation •
CVE-2023-2514 – DB username/password revealed in application logs
https://notcve.org/view.php?id=CVE-2023-2514
Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVE-2023-2193 – Oauth authorization codes do not expire when deauthorizing an oauth2 app
https://notcve.org/view.php?id=CVE-2023-2193
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token. • https://mattermost.com/security-updates • CWE-862: Missing Authorization •