cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-11599,https://securityvulnerability.io/vulnerability/CVE-2024-11599," Email Address Validation Vulnerability Affects Mattermost Versions","A flaw in certain versions of Mattermost allows an unauthenticated user to exploit improper email address validation during the registration process. This vulnerability permits the bypassing of email domain restrictions, which may lead to unauthorized access or impersonation risks. Organizations using affected versions should review their security measures and apply necessary updates to safeguard their platforms.",Mattermost,Mattermost,8.2,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-28T09:42:48.141Z,0
CVE-2024-39613,https://securityvulnerability.io/vulnerability/CVE-2024-39613,Remote Code Execution Vulnerability in Mattermost Desktop App,"The Mattermost Desktop App contains a vulnerability that arises from not specifying an absolute path when searching for the cmd.exe file. This oversight permits a local attacker to create a malicious cmd.exe file in the Downloads folder of a victim's machine. If successful, this would enable the attacker to execute arbitrary commands remotely, leading to potential unauthorized access and manipulation of system data.",Mattermost,Mattermost,7.8,HIGH,0.0005300000193528831,false,,false,false,false,,,false,false,,2024-09-16T06:40:58.501Z,0
CVE-2024-8071,https://securityvulnerability.io/vulnerability/CVE-2024-8071,Mattermost vulnerable to role promotion exploit,"A vulnerability exists in certain versions of Mattermost that allows a user with the edit access role to change their permissions to include system administration capabilities. Specifically, this issue arises because the application does not properly restrict the roles that can promote a user to system admin, enabling a role with 'edit' access to manipulate their own permissions. As a result, an unauthorized user may gain elevated privileges, which could lead to unauthorized access to sensitive system settings and critical security configurations.",Mattermost,Mattermost,7.2,HIGH,0.0005000000237487257,false,,false,false,false,,,false,false,,2024-08-22T06:39:54.830Z,0
CVE-2024-40886,https://securityvulnerability.io/vulnerability/CVE-2024-40886,Mattermost vulnerability allows for one-click client-side path traversal and CSRF,"The vulnerability in Mattermost is attributed to inadequate sanitization of user inputs in the frontend, specifically used for redirection processes. This oversight potentially exposes the User Management page in the system console to a one-click client-side path traversal, facilitating a Cross-Site Request Forgery (CSRF) attack. Organizations using vulnerable versions should prioritize updates and apply security patches to safeguard their systems against exploitation.",Mattermost,Mattermost,8.8,HIGH,0.0005799999926239252,false,,false,false,false,,,false,false,,2024-08-22T06:32:11.786Z,0
CVE-2024-39832,https://securityvulnerability.io/vulnerability/CVE-2024-39832,Permanently local data deletion by malicious remote,"An error handling vulnerability exists in Mattermost versions 9.9.x (up to 9.9.0), 9.5.x (up to 9.5.6), 9.7.x (up to 9.7.5), and 9.8.x (up to 9.8.1). This flaw permits remote attackers to exploit improper safeguarding during error management processes, particularly when shared channels are enabled. By leveraging this vulnerability, an attacker can permanently delete local data, posing serious risks to data integrity and availability in affected Mattermost environments.",Mattermost,Mattermost,8.7,HIGH,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-08-01T15:15:00.000Z,0
CVE-2024-39777,https://securityvulnerability.io/vulnerability/CVE-2024-39777,Unsolicited Invite Vulnerability in Mattermost Product,"The vulnerability identified in specific versions of Mattermost allows unauthorized attackers to exploit the shared channel feature. This includes the potential for unsolicited invites that can inadvertently expose local channels, thereby compromising sensitive communications without consent from local administrators. Attackers can manipulate channel Ids, granting them unintended access to internal discussions and potentially exposing sensitive information to unauthorized parties.",Mattermost,Mattermost,9.6,CRITICAL,0.0005000000237487257,false,,false,false,false,,,false,false,,2024-08-01T15:15:00.000Z,0
CVE-2024-41144,https://securityvulnerability.io/vulnerability/CVE-2024-41144,Malicious remote can create/update/delete arbitrary posts in arbitrary channels,"A vulnerability has been identified in Mattermost that impacts versions 9.9.x, 9.5.x, 9.7.x, and 9.8.x where the application does not appropriately validate synced posts when shared channels are enabled. This flaw allows an attacker to create, update, or delete posts in arbitrary channels, breaching the expected security protocol and potentially leading to unauthorized access and data manipulation.",Mattermost,Mattermost,7.1,HIGH,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-08-01T15:15:00.000Z,0
CVE-2024-2450,https://securityvulnerability.io/vulnerability/CVE-2024-2450,Mattermost Authentication Bypass Vulnerability,"Versions of Mattermost prior to 8.1.10, 9.2.6, 9.3.2, and 9.4.3 contain a vulnerability that fails to properly verify account ownership when transitioning from email credentials to SAML authentication. This oversight enables a malicious user who is already authenticated to exploit the system and craft specific requests that could lead to the takeover of other user accounts, compromising both user privacy and system integrity.",Mattermost,Mattermost,8.8,HIGH,0.0005799999926239252,false,,false,false,false,,,false,false,,2024-03-15T09:12:28.880Z,0
CVE-2023-7114,https://securityvulnerability.io/vulnerability/CVE-2023-7114,Cross-Site Request Forgery Vulnerability in Mattermost by Mattermost,"Mattermost versions up to 2.10.0 lack proper sanitization of deeplink paths, which can enable attackers to exploit this flaw through Cross-Site Request Forgery (CSRF) attacks. This security oversight may allow unauthorized actions to be performed on behalf of authenticated users, potentially compromising server integrity and user data. It's crucial for users of affected versions to be aware of this vulnerability and take appropriate actions to mitigate potential risks.",Mattermost,Mattermost,7.1,HIGH,0.001560000004246831,false,,false,false,false,,,false,false,,2023-12-29T13:15:00.000Z,0
CVE-2023-45316,https://securityvulnerability.io/vulnerability/CVE-2023-45316,Reflected client side path traversal leading to CSRF in Playbooks,"The Mattermost platform contains a vulnerability in its telemetry API where it improperly validates the input for telemetry run IDs. This flaw allows an attacker to conduct path traversal, enabling them to manipulate the API endpoint and potentially initiate a cross-site request forgery (CSRF) attack. Users are advised to update to the latest version to mitigate the risks associated with this issue.",Mattermost,Mattermost,7.3,HIGH,0.0005799999926239252,false,,false,false,false,,,false,false,,2023-12-12T09:15:00.000Z,0
CVE-2023-6458,https://securityvulnerability.io/vulnerability/CVE-2023-6458,Client side path traversal due to lack of route parameters validation,"The Mattermost web application exhibits a serious vulnerability due to improper validation of route parameters within the URL structure. Specifically, the exploit can occur in paths associated with team and channel navigation, such as /<TEAM_NAME>/channels/<CHANNEL_NAME>. This failure allows an attacker to manipulate the route parameters, potentially leading to unauthorized access to sensitive information stored on the server, thereby compromising the application’s security.",Mattermost,Mattermost,7.1,HIGH,0.001560000004246831,false,,false,false,false,,,false,false,,2023-12-06T09:15:00.000Z,0
CVE-2023-40703,https://securityvulnerability.io/vulnerability/CVE-2023-40703,Denial of Service via specially crafted block fields in Mattermost Boards,"The Mattermost Boards service has a vulnerability that allows an attacker to bypass character limitations in certain fields. By utilizing specially crafted strings, an attacker can exploit this flaw to consume excessive system resources, potentially leading to a Denial of Service scenario. This vulnerability emphasizes the need for proper input validation and resource management to prevent application disruptions.",Mattermost,Mattermost,7.5,HIGH,0.0007800000021234155,false,,false,false,false,,,false,false,,2023-11-27T10:15:00.000Z,0
CVE-2023-5330,https://securityvulnerability.io/vulnerability/CVE-2023-5330," Denial of Service via Opengraph Data Cache","Mattermost contains a flaw that allows an attacker to exploit the caching mechanism for OpenGraph data. By sending specially crafted requests to the /api/v4/opengraph endpoint, an attacker can fill the cache with oversized entries. This can lead to server unavailability, disrupting service for legitimate users and potentially impacting overall system functionality.",Mattermost,Mattermost,7.5,HIGH,0.0007800000021234155,false,,false,false,false,,,false,false,,2023-10-09T11:15:00.000Z,0
CVE-2023-3615,https://securityvulnerability.io/vulnerability/CVE-2023-3615,Lack of server certificate validation in websockets connection,"The Mattermost iOS app has a security flaw where it fails to adequately validate server certificates during TLS initialization. This vulnerability can be exploited by network attackers, potentially allowing them to intercept WebSockets communication between the app and server. Users are encouraged to update to the latest version to mitigate this risk.",Mattermost,Mattermost iOS App,8.1,HIGH,0.0013599999947473407,false,,false,false,false,,,false,false,,2023-07-17T16:15:00.000Z,0
CVE-2023-2514,https://securityvulnerability.io/vulnerability/CVE-2023-2514,DB username/password revealed in application logs,The Mattermost Server contains a vulnerability where sensitive database usernames and passwords are not properly redacted before being logged during server initialization. This weakness can lead to unauthorized access and potential exploitation by malicious actors who gain insight into sensitive application configuration details. It is crucial for organizations using Mattermost to apply the relevant patches and follow best practices for security to mitigate this risk.,Mattermost,Mattermost,7.5,HIGH,0.0011599999852478504,false,,false,false,false,,,false,false,,2023-05-12T09:15:00.000Z,0
CVE-2023-2515,https://securityvulnerability.io/vulnerability/CVE-2023-2515,Privilege escalation to system admin via personal access tokens,"Mattermost contains a vulnerability that allows users with specific permissions to edit other users and create personal access tokens, potentially enabling them to elevate their privileges to that of a system administrator. This flaw underscores the importance of ensuring proper access controls and user permissions within the Mattermost platform to protect sensitive system functionalities.",Mattermost,Mattermost,8.8,HIGH,0.0010900000343099236,false,,false,false,false,,,false,false,,2023-05-12T09:15:00.000Z,0
CVE-2023-2193,https://securityvulnerability.io/vulnerability/CVE-2023-2193,Oauth authorization codes do not expire when deauthorizing an oauth2 app,"Mattermost has a security issue that permits the unauthorized use of existing authorization codes when an OAuth2 app is deauthorized. This flaw allows an attacker who possesses a valid authorization code to produce a legitimate access token, potentially compromising sensitive user data and system integrity. Immediate attention is advised to mitigate the impact of this vulnerability.",Mattermost,Mattermost,9.1,CRITICAL,0.001180000021122396,false,,false,false,false,,,false,false,,2023-04-20T09:15:00.000Z,0
CVE-2023-1831,https://securityvulnerability.io/vulnerability/CVE-2023-1831,User password logged in audit logs,"An exposure in Mattermost's audit logging feature allows for user passwords and password hashes to remain unredacted during user creation and subsequent operations when the experimental audit logging setting is enabled. This flaw may lead to sensitive information being logged and potentially accessed by unauthorized individuals, posing a significant risk to user accounts and overall platform security.",Mattermost,Mattermost,7.5,HIGH,0.0011599999852478504,false,,false,false,false,,,false,false,,2023-04-17T15:15:00.000Z,0
CVE-2022-1384,https://securityvulnerability.io/vulnerability/CVE-2022-1384,Authorized users are allowed to install old plugin versions from the Marketplace,"Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.",Mattermost,Mattermost,8.8,HIGH,0.0010400000028312206,false,,false,false,false,,,false,false,,2022-04-19T20:26:28.000Z,0
CVE-2021-37859,https://securityvulnerability.io/vulnerability/CVE-2021-37859,Reflected XSS in OAuth Flow,Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost.,Mattermost,Mattermost,7.1,HIGH,0.0007300000288523734,false,,false,false,false,,,false,false,,2021-08-05T19:40:10.000Z,0
CVE-2020-13891,https://securityvulnerability.io/vulnerability/CVE-2020-13891,Authorization Token Exposure in Mattermost Mobile Apps on iOS,"Mattermost Mobile Apps prior to version 1.31.2 for iOS are susceptible to a vulnerability that allows unintended third-party servers to gain unauthorized access to authorization tokens. This issue, identified as MMSA-2020-0022, can lead to potential security risks for users. It is imperative for users of these apps to update to the latest version to mitigate this risk.",Mattermost,Mattermost,7.5,HIGH,0.0016799999866634607,false,,false,false,false,,,false,false,,2020-06-26T16:14:29.000Z,0
CVE-2015-9548,https://securityvulnerability.io/vulnerability/CVE-2015-9548,Memory Consumption Vulnerability in Mattermost Server,"A memory consumption vulnerability was identified in Mattermost Server versions earlier than 1.2.0. This flaw can be exploited by attackers through the use of a specially crafted compressed file that, when decompressed, consumes excessive memory, leading to potential denial of service. It is crucial for users to ensure their systems are updated to the latest version to mitigate the risk associated with this vulnerability. For further details, you can visit the security updates page.",Mattermost,Mattermost Server,7.5,HIGH,0.0010300000431016088,false,,false,false,false,,,false,false,,2020-06-19T19:30:35.000Z,0
CVE-2016-11074,https://securityvulnerability.io/vulnerability/CVE-2016-11074,Password Reset Link Vulnerability in Mattermost Server,"A security issue was discovered in Mattermost Server prior to version 3.0.0, where a password-reset link could be reused. This vulnerability poses a risk of unauthorized account access, potentially allowing attackers to exploit the weakened security of user accounts by generating multiple resets.",Mattermost,Mattermost Server,9.8,CRITICAL,0.0030900000128895044,false,,false,false,false,,,false,false,,2020-06-19T19:26:52.000Z,0
CVE-2016-11069,https://securityvulnerability.io/vulnerability/CVE-2016-11069,Password Change Vulnerability in Mattermost Server by Mattermost,"A vulnerability exists in Mattermost Server versions prior to 3.2.0, where the system inadequately handles brute-force attempts during password change processes. This flaw could allow unauthorized users to manipulate account credentials, highlighting the urgency for users to update to the latest version to ensure their account security against potential unauthorized access.",Mattermost,Mattermost Server,7.5,HIGH,0.0008399999933317304,false,,false,false,false,,,false,false,,2020-06-19T19:25:13.000Z,0
CVE-2016-11066,https://securityvulnerability.io/vulnerability/CVE-2016-11066,Information Disclosure in Mattermost Server by Mattermost,"A vulnerability was identified in Mattermost Server prior to version 3.2.0, wherein the initial_load API inadvertently disclosed sensitive personal information. This issue raises significant concerns regarding user data privacy and the protection of personally identifiable information (PII). Organizations using affected versions should apply updates promptly to mitigate potential data exposure risks.",Mattermost,Mattermost Server,7.5,HIGH,0.0016799999866634607,false,,false,false,false,,,false,false,,2020-06-19T19:23:24.000Z,0