Filtered by vendor Mattermost
Subscriptions
Total
533 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13324 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-29 | 3.7 Low |
| Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed. | ||||
| CVE-2025-12689 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-29 | 6.5 Medium |
| Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request. | ||||
| CVE-2025-13326 | 1 Mattermost | 2 Mattermost, Mattermost Desktop | 2025-12-18 | 3.9 Low |
| Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder. | ||||
| CVE-2025-13321 | 1 Mattermost | 2 Mattermost, Mattermost Desktop | 2025-12-18 | 3.3 Low |
| Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs. | ||||
| CVE-2025-12756 | 1 Mattermost | 3 Mattermost, Mattermost Boards, Mattermost Server | 2025-12-05 | 4.3 Medium |
| Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users. | ||||
| CVE-2025-13870 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-03 | 3.1 Low |
| Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to | ||||
| CVE-2025-12559 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-03 | 4.3 Medium |
| Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint | ||||
| CVE-2025-11794 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-01 | 4.9 Medium |
| Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint | ||||
| CVE-2025-55074 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-25 | 3 Low |
| Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects | ||||
| CVE-2025-55073 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-19 | 5.4 Medium |
| Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL. | ||||
| CVE-2025-11777 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-17 | 3.1 Low |
| Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint | ||||
| CVE-2025-11776 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-17 | 4.3 Medium |
| Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint | ||||
| CVE-2025-41436 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-17 | 3.1 Low |
| Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads | ||||
| CVE-2025-55070 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-11-17 | 6.5 Medium |
| Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events | ||||
| CVE-2025-47700 | 1 Mattermost | 3 Mattermost, Mattermost Server, Server | 2025-10-29 | 3.5 Low |
| Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions | ||||
| CVE-2025-55035 | 1 Mattermost | 2 Mattermost, Mattermost Desktop | 2025-10-29 | 6.1 Medium |
| Mattermost Desktop App versions <=5.13.0 fail to manage modals in the Mattermost Desktop App that stops a user with a server that uses basic authentication from accessing their server which allows an attacker that provides a malicious server to the user to deny use of the Desktop App via having the user configure the malicious server and forcing a modal popup that cannot be closed. | ||||
| CVE-2025-58084 | 1 Mattermost | 2 Mattermost, Mattermost Desktop | 2025-10-29 | 3.5 Low |
| Mattermost Desktop App versions <= 5.13.0 fail to validate URLs external to the configured Mattermost servers, allowing an attacker on a server the user has configured to crash the user's application by sending the user a malformed URL. | ||||
| CVE-2025-41443 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-29 | 4.3 Medium |
| Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint | ||||
| CVE-2025-10545 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-21 | 3.1 Low |
| Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint | ||||
| CVE-2025-41410 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-21 | 5.4 Medium |
| Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions | ||||