cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score CVE-2024-46872,https://securityvulnerability.io/vulnerability/CVE-2024-46872,Input Sanitization Flaw in Mattermost Web Application,"A critical input sanitization vulnerability has been discovered in Mattermost, affecting versions 9.10.2 or earlier in the 9.10.x series, 9.11.1 or earlier in the 9.11.x series, and 9.5.9 or earlier in the 9.5.x series. This vulnerability arises from the failure to properly sanitize user inputs on the frontend, enabling malicious actors to exploit it through a one-click client-side path traversal. This flaw has serious implications, as it establishes a potential pathway for Cross-Site Request Forgery (CSRF) attacks in Playbooks. Organizations using these affected versions are strongly advised to implement the recommended security updates to mitigate associated risks.",Mattermost,Mattermost Server,4.6,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-10-29T09:15:00.000Z,0 CVE-2024-45835,https://securityvulnerability.io/vulnerability/CVE-2024-45835,Vulnerability in Electron Configuration of Mattermost Desktop App,"The Mattermost Desktop App versions 5.8.0 and earlier exhibit a security vulnerability linked to insufficient configuration of Electron Fuses. This misconfiguration may allow an attacker to exploit the application to access sensitive data, including Chromium cookies. Additionally, it can facilitate other possible abuses via both remote and local access. Users of the affected version should take immediate action to mitigate risks associated with this vulnerability.",Mattermost,Mattermost Server,6.5,MEDIUM,0.0004600000102072954,false,false,false,false,,false,false,2024-09-16T15:15:00.000Z,0 CVE-2024-39772,https://securityvulnerability.io/vulnerability/CVE-2024-39772,Screen Capture Vulnerability in Mattermost Desktop App,The Mattermost Desktop App versions up to 5.8.0 have a vulnerability that compromises the screen capture functionality. This flaw allows attackers to leverage JavaScript APIs to silently capture high-quality screenshots without the end-user's consent or knowledge. Users of the Mattermost Desktop App should be aware of this risk and take necessary precautions to safeguard their sensitive information.,Mattermost,Mattermost Server,5.3,MEDIUM,0.0004600000102072954,false,false,false,false,,false,false,2024-09-16T15:15:00.000Z,0 CVE-2024-43780,https://securityvulnerability.io/vulnerability/CVE-2024-43780,Files Can Be Uploaded by Guest Users Despite Permission Restrictions,"Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.",Mattermost,Mattermost Server,4.3,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-08-22T16:15:00.000Z,0 CVE-2024-42497,https://securityvulnerability.io/vulnerability/CVE-2024-42497,Mattermost Permissions Vulnerability Allows Read-Only Users to Perform Write Operations,"Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.",Mattermost,Mattermost Server,4.9,MEDIUM,0.0004600000102072954,false,false,false,false,,false,false,2024-08-22T16:15:00.000Z,0 CVE-2024-40884,https://securityvulnerability.io/vulnerability/CVE-2024-40884,Mattermost Permission Enforcement Vulnerability,"Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without ""Add Team Members"" permission to disable the invite URL.",Mattermost,Mattermost Server,2.7,LOW,0.0004400000034365803,false,false,false,false,,false,false,2024-08-22T16:15:00.000Z,0 CVE-2024-39837,https://securityvulnerability.io/vulnerability/CVE-2024-39837,Channel Creation Vulnerability in Mattermost by Mattermost,"Mattermost versions 9.9.x up to and including 9.9.0 and 9.5.x up to and including 9.5.6 exhibit a flaw in the management of channel permissions. This vulnerability allows an unauthorized remote attacker to create arbitrary channels when shared channels are enabled, potentially leading to information disclosure and misuse of the platform. Organizations using these versions are advised to implement immediate corrective actions by updating to the latest secure versions and reviewing their channel sharing settings.",Mattermost,Mattermost Server,5.4,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-08-01T15:15:00.000Z,0 CVE-2024-41926,https://securityvulnerability.io/vulnerability/CVE-2024-41926,Sync Message Validation Issue in Mattermost by Mattermost,"Certain versions of Mattermost, specifically those in the 9.9.x range up to 9.9.0 and 9.5.x range up to 9.5.6, suffer from a validation issue regarding sync messages. This flaw permits a malicious remote entity to submit arbitrary RemoteId values, potentially allowing them to incorrectly assert that a user was synced from a different remote source. Such an exploit could compromise user integrity and lead to unauthorized access scenarios.",Mattermost,Mattermost Server,4.3,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-08-01T15:15:00.000Z,0 CVE-2024-39839,https://securityvulnerability.io/vulnerability/CVE-2024-39839,"Username Manipulation Vulnerability in Mattermost by Mattermost, Inc.","Certain versions of Mattermost have a vulnerability that allows users to alter their remote username when shared channels are enabled. This breach permits a user to configure their remote username to any arbitrary value, which is subsequently synchronized to the local server unless the user has been previously synced. This could potentially lead to identity misrepresentation and security concerns within collaborative environments.",Mattermost,Mattermost Server,4.3,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-08-01T15:15:00.000Z,0 CVE-2024-41162,https://securityvulnerability.io/vulnerability/CVE-2024-41162,Remote Channel Manipulation Vulnerability in Mattermost by Mattermost Inc.,"A security flaw in Mattermost allows remote users to modify local channels when shared channels are enabled. This vulnerability enables malicious actors to make arbitrary local channels read-only, potentially disrupting user access and communication. Various versions of Mattermost are affected, necessitating users to update their installations to mitigate risks associated with unauthorized channel modifications.",Mattermost,Mattermost Server,4.3,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-08-01T15:15:00.000Z,0 CVE-2024-28949,https://securityvulnerability.io/vulnerability/CVE-2024-28949,Large Number of User Preferences Can Cause Denial of Service,"Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service. ",Mattermost,Mattermost Server,6.5,MEDIUM,0.0004400000034365803,false,false,false,false,,false,false,2024-04-05T09:15:00.000Z,0 CVE-2024-29221,https://securityvulnerability.io/vulnerability/CVE-2024-29221,Insecure Endpoint Allows Team Admins to Invite Users Despite Removal of 'Add Members' Permission,"Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the ""Add Members"" permission was explicitly removed from team admins. ",Mattermost,Mattermost Server,3.8,LOW,0.00044999999227002263,false,false,false,false,,false,false,2024-04-05T09:15:00.000Z,0 CVE-2024-21848,https://securityvulnerability.io/vulnerability/CVE-2024-21848,Attacker Can Participate in Active Calls Despite Being Removed from Channel,"Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel ",Mattermost,Mattermost Server,3.1,LOW,0.00044999999227002263,false,false,false,false,,false,false,2024-04-05T09:15:00.000Z,0 CVE-2015-9548,https://securityvulnerability.io/vulnerability/CVE-2015-9548,,An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a small compressed file that has a large size when uncompressed.,Mattermost,Mattermost Server,7.5,HIGH,0.0010300000431016088,false,false,false,false,,false,false,2020-06-19T19:30:35.000Z,0 CVE-2016-11084,https://securityvulnerability.io/vulnerability/CVE-2016-11084,,An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.,Mattermost,Mattermost Server,6.1,MEDIUM,0.0005300000193528831,false,false,false,false,,false,false,2020-06-19T19:30:10.000Z,0 CVE-2016-11083,https://securityvulnerability.io/vulnerability/CVE-2016-11083,,An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.,Mattermost,Mattermost Server,6.1,MEDIUM,0.0007800000021234155,false,false,false,false,,false,false,2020-06-19T19:29:43.000Z,0 CVE-2016-11082,https://securityvulnerability.io/vulnerability/CVE-2016-11082,,An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.,Mattermost,Mattermost Server,6.1,MEDIUM,0.0007800000021234155,false,false,false,false,,false,false,2020-06-19T19:29:32.000Z,0 CVE-2016-11081,https://securityvulnerability.io/vulnerability/CVE-2016-11081,,An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.,Mattermost,Mattermost Server,4.3,MEDIUM,0.000539999979082495,false,false,false,false,,false,false,2020-06-19T19:29:13.000Z,0 CVE-2016-11080,https://securityvulnerability.io/vulnerability/CVE-2016-11080,,An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.,Mattermost,Mattermost Server,4.3,MEDIUM,0.000539999979082495,false,false,false,false,,false,false,2020-06-19T19:28:59.000Z,0 CVE-2016-11079,https://securityvulnerability.io/vulnerability/CVE-2016-11079,,An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.,Mattermost,Mattermost Server,6.1,MEDIUM,0.0007800000021234155,false,false,false,false,,false,false,2020-06-19T19:28:42.000Z,0 CVE-2016-11078,https://securityvulnerability.io/vulnerability/CVE-2016-11078,,An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.,Mattermost,Mattermost Server,6.5,MEDIUM,0.0006500000017695129,false,false,false,false,,false,false,2020-06-19T19:28:22.000Z,0 CVE-2016-11077,https://securityvulnerability.io/vulnerability/CVE-2016-11077,,An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.,Mattermost,Mattermost Server,2.7,LOW,0.000539999979082495,false,false,false,false,,false,false,2020-06-19T19:28:01.000Z,0 CVE-2016-11076,https://securityvulnerability.io/vulnerability/CVE-2016-11076,,An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.,Mattermost,Mattermost Server,5.3,MEDIUM,0.0008399999933317304,false,false,false,false,,false,false,2020-06-19T19:27:37.000Z,0 CVE-2016-11075,https://securityvulnerability.io/vulnerability/CVE-2016-11075,,An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.,Mattermost,Mattermost Server,5.3,MEDIUM,0.0008399999933317304,false,false,false,false,,false,false,2020-06-19T19:27:18.000Z,0 CVE-2016-11074,https://securityvulnerability.io/vulnerability/CVE-2016-11074,,An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused.,Mattermost,Mattermost Server,9.8,CRITICAL,0.0030900000128895044,false,false,false,false,,false,false,2020-06-19T19:26:52.000Z,0