Page 7 of 37 results (0.015 seconds)

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0

Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •

CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0

Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. • https://mattermost.com/security-updates • CWE-346: Origin Validation Error •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. • https://mattermost.com/security-updates • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0

Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •