Filtered by vendor Mattermost
Subscriptions
Filtered by product Mattermost
Subscriptions
Total
158 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-2570 | 1 Mattermost | 1 Mattermost | 2025-07-13 | 2.7 Low |
| Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console. | ||||
| CVE-2024-11358 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 5.7 Medium |
| Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider. | ||||
| CVE-2024-50052 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.3 Medium |
| Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post. | ||||
| CVE-2024-12247 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.6 Medium |
| Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated. | ||||
| CVE-2025-32093 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.7 Medium |
| Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation. | ||||
| CVE-2024-10241 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.3 Medium |
| Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K. | ||||
| CVE-2024-9155 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.3 Medium |
| Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of. | ||||
| CVE-2025-0503 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 3.1 Low |
| Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database. | ||||
| CVE-2025-1412 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 3.1 Low |
| Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. | ||||
| CVE-2025-20086 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 6.5 Medium |
| Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. | ||||
| CVE-2025-20088 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 6.5 Medium |
| Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. | ||||
| CVE-2025-22445 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 3.5 Low |
| Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting. | ||||
| CVE-2025-22449 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 3.8 Low |
| Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public. | ||||
| CVE-2025-2424 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 3.1 Low |
| Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation. | ||||
| CVE-2025-2527 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.3 Medium |
| Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request. | ||||
| CVE-2025-2571 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 4.2 Medium |
| Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow. | ||||
| CVE-2025-31947 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 5.8 Medium |
| Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Mattermost. | ||||
| CVE-2025-4128 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-07-08 | 3.1 Low |
| Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}. | ||||
| CVE-2025-4981 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-07-08 | 9.9 Critical |
| Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default. | ||||
| CVE-2025-4573 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-07-08 | 4.1 Medium |
| Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute. | ||||