CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-1402 – Denial of service in mattermost mobile apps and server via emoji reactions
https://notcve.org/view.php?id=CVE-2024-1402
09 Feb 2024 — Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post. Mattermost no verifica si existe una reacción de emoji personalizada al enviarla a una publicación y no limita la cantida... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-47858 – Details of archived public channels are leaked to members of another team
https://notcve.org/view.php?id=CVE-2023-47858
02 Jan 2024 — Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6727 – Leak Inaccessible Playbook Information via Channel Action IDOR
https://notcve.org/view.php?id=CVE-2023-6727
12 Dec 2023 — Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked. Mattermost no realiza comprobaciones de autorización correctas al crear una acción del playbook, lo que permite a los usuarios sin acceso al playbook crear acciones del playbook. Si la acc... • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2023-45316 – Reflected client side path traversal leading to CSRF in Playbooks
https://notcve.org/view.php?id=CVE-2023-45316
12 Dec 2023 — Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6547 – Playbooks access/modification by removed team member
https://notcve.org/view.php?id=CVE-2023-6547
12 Dec 2023 — Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team. Mattermost no valida la membresía del equipo cuando un usuario intenta acceder a un playbook, lo que permite que un usuario con permisos para un playbook pero sin pe... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-49607 – Playbook plugin crash via missing interface type assertion
https://notcve.org/view.php?id=CVE-2023-49607
12 Dec 2023 — Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog. Mattermost no logra validar el tipo de parámetro de solicitud del cuerpo "recordatorio", lo que permite a un atacante bloquear el complemento Playbook al actualizar el cuadro de diálogo de estado. • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-46701 – Inaccessible Post Information Leak via Run Timeline IDOR
https://notcve.org/view.php?id=CVE-2023-46701
12 Dec 2023 — Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID Mattermost no realiza comprobaciones de autorización en el endpoint /plugins/playbooks/api/v0/runs/add-to-timeline-dialog del complemento Playbooks, lo que permite a un atacante obtener información limitada sobre una publicación si conoce el ID de la publicación. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-49874 – IDOR when updating the tasks of a private playbook run
https://notcve.org/view.php?id=CVE-2023-49874
12 Dec 2023 — Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID. Mattermost no verifica si un usuario es un invitado al actualizar las tareas de una ejecución de un playbook privado, lo que permite a un invitado actualizar las tareas de una ejecución de un playbook privado si conoce el ID de la ejecución. Mattermost fails to check whether a user is a guest when updating the tasks of a... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-45847 – Playbook Plugin Crash via Run Checklist
https://notcve.org/view.php?id=CVE-2023-45847
12 Dec 2023 — Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin Mattermost no verifica la longitud al configurar el título en una lista de verificación de ejecución en Playbooks, lo que permite a un atacante enviar una solicitud especialmente manipulada y bloquear el complemento de Playbooks. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6458 – Client side path traversal due to lack of route parameters validation
https://notcve.org/view.php?id=CVE-2023-6458
06 Dec 2023 — Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. La aplicación web Mattermost no puede validar los parámetros de ruta en//channels/, lo que permite a un atacante realizar un path traversal del lado del cliente. Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. • https://mattermost.com/security-updates • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •