Every CVE whose affected-product data names Mattermost, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (77)
CVE-2019-20851 — CVSS 9.1 (critical): An issue was discovered in Mattermost Mobile Apps before 1.26.0. An attacker can use directory traversal with the Video Preview feature to…
CVE-2024-39274 — CVSS 8.7 (high): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes…
CVE-2024-39777 — CVSS 8.7 (high): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access…
CVE-2023-3615 — CVSS 8.1 (high): Mattermost iOS app fails to properly validate the server certificate while initializing the TLS connection allowing a network attacker to…
CVE-2024-39830 — CVSS 8.1 (high): Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use…
CVE-2020-13891 — CVSS 7.5 (high): An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization…
CVE-2024-36492 — CVSS 7.4 (high): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when…
CVE-2023-7114 — CVSS 7.1 (high): Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server.
CVE-2023-27264 — CVSS 7.1 (high): A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/…
CVE-2021-37859 — CVSS 7.1 (high): Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost.
CVE-2023-4107 — CVSS 6.7 (medium): Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a…
CVE-2023-2514 — CVSS 6.7 (medium): Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization.
CVE-2023-2193 — CVSS 6.5 (medium): Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an…
CVE-2023-5195 — CVSS 6.5 (medium): Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they…
CVE-2023-5196 — CVSS 6.5 (medium): Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a…
CVE-2023-2787 — CVSS 6.5 (medium): Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the…
CVE-2023-2792 — CVSS 6.5 (medium): Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted…
CVE-2023-2793 — CVSS 6.5 (medium): Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a…
CVE-2023-4106 — CVSS 6.3 (medium): Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest…
CVE-2023-2788 — CVSS 6.2 (medium): Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to…
CVE-2021-37861 — CVSS 5.8 (medium): Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails.
CVE-2024-42411 — CVSS 5.3 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to restrict the input in POST /api/v4/users which…
CVE-2024-6428 — CVSS 5.3 (medium): Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user…
CVE-2023-5969 — CVSS 5.3 (medium): Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to…
CVE-2024-39810 — CVSS 4.9 (medium): Mattermost versions 9.5.x <= 9.5.7 and 9.10.x <= 9.10.0 fail to time limit and size limit the CA path file in the ElasticSearch…
CVE-2023-5968 — CVSS 4.9 (medium): Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the…
CVE-2023-5193 — CVSS 4.9 (medium): Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to…
CVE-2024-39836 — CVSS 4.8 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot…
CVE-2024-8071 — CVSS 4.7 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as…
CVE-2024-40886 — CVSS 4.6 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are…
CVE-2023-4108 — CVSS 4.5 (medium): Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged
CVE-2023-27263 — CVSS 4.3 (medium): A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging…
CVE-2021-37865 — CVSS 4.3 (medium): Mattermost 6.2 and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which…
CVE-2022-0708 — CVSS 4.3 (medium): Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated…
CVE-2022-2406 — CVSS 4.3 (medium): The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows…
CVE-2022-2408 — CVSS 4.3 (medium): The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to…
CVE-2022-4019 — CVSS 4.3 (medium): A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large…
CVE-2022-4044 — CVSS 4.3 (medium): A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages.
CVE-2023-2783 — CVSS 4.3 (medium): Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the…
CVE-2023-2785 — CVSS 4.3 (medium): Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation…
CVE-2023-2786 — CVSS 4.3 (medium): Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a…
CVE-2023-2791 — CVSS 4.3 (medium): When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit…
CVE-2023-2808 — CVSS 4.3 (medium): Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an…
CVE-2023-2831 — CVSS 4.3 (medium): Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a…
CVE-2023-40703 — CVSS 4.3 (medium): Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to…
CVE-2023-43754 — CVSS 4.3 (medium): Mattermost fails to check whether the “Allow users to view archived channels” setting is enabled during permalink previews display…
CVE-2023-45223 — CVSS 4.3 (medium): Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the…
CVE-2023-47168 — CVSS 4.3 (medium): Mattermost fails to properly check a redirect URL parameter allowing for an open redirect was possible when the user clicked "Back to…
CVE-2023-47865 — CVSS 4.3 (medium): Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed…
CVE-2023-48268 — CVSS 4.3 (medium): Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an…
CVE-2023-48369 — CVSS 4.3 (medium): Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to…
CVE-2023-5160 — CVSS 4.3 (medium): Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the…
CVE-2023-5522 — CVSS 4.3 (medium): Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of…
CVE-2023-5967 — CVSS 4.3 (medium): Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to…
CVE-2023-6202 — CVSS 4.3 (medium): Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user…
CVE-2024-32939 — CVSS 4.3 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact…
CVE-2024-43813 — CVSS 4.3 (medium): Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including…
CVE-2023-2784 — CVSS 4.2 (medium): Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user…
CVE-2023-5159 — CVSS 3.8 (low): Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to…
CVE-2021-37860 — CVSS 3.7 (low): Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary…
CVE-2026-24661 — CVSS 3.7 (low): Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an…
CVE-2023-1562 — CVSS 3.5 (low): Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call…
CVE-2024-10214 — CVSS 3.5 (low): Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in…
CVE-2022-1003 — CVSS 3.3 (low): One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to…
CVE-2023-2797 — CVSS 3.1 (low): Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted…
CVE-2023-4105 — CVSS 3.1 (low): Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and…
CVE-2024-39361 — CVSS 3.1 (low): Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their…
CVE-2023-35075 — CVSS 3.1 (low): Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to…
CVE-2024-39807 — CVSS 3.1 (low): Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker…
CVE-2022-4045 — CVSS 3.1 (low): A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the…
CVE-2024-29977 — CVSS 2.7 (low): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which…
CVE-2024-39353 — CVSS 2.7 (low): Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high…
CVE-2023-5194 — CVSS 2.7 (low): Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote /…
CVE-2024-36257 — CVSS 2.7 (low): Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the…
CVE-2021-37864 — CVSS 2.6 (low): Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to…
CVE-2022-1002 — CVSS 2.0 (low): Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows…