CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3582 – Lack of channel membership check when linking a board to a channel
https://notcve.org/view.php?id=CVE-2023-3582
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3581 – WebSockets accept connections from HTTPS origin
https://notcve.org/view.php?id=CVE-2023-3581
Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs. • https://mattermost.com/security-updates • CWE-346: Origin Validation Error •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3577 – Limited blind SSRF to localhost/intranet in interactive dialog implementation
https://notcve.org/view.php?id=CVE-2023-3577
Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF. • https://mattermost.com/security-updates • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-2515 – Privilege escalation to system admin via personal access tokens
https://notcve.org/view.php?id=CVE-2023-2515
Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-1831 – User password logged in audit logs
https://notcve.org/view.php?id=CVE-2023-1831
Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-319: Cleartext Transmission of Sensitive Information •