Page 7 of 39 results (0.003 seconds)

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. • https://mattermost.com/security-updates • CWE-862: Missing Authorization •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter. • https://mattermost.com/security-updates • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 2.7EPSS: 0%CPEs: 1EXPL: 0

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 2.7EPSS: 0%CPEs: 1EXPL: 0

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •