Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2023-2785
Specially crafted search query can cause large log entries in postgres
Description: Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
December 7th, 2024 (6 months ago)

CVE-2023-2784
Apps Framework allows install requests from regular members via an internal path
Description: Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps.

CVSS: MEDIUM (4.2)

EPSS Score: 0.05%

Source: CVE
December 7th, 2024 (6 months ago)

CVE-2023-2783
App Framework does not checks for the secret provided in the incoming webhook request
Description: Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
December 7th, 2024 (6 months ago)

CVE-2023-27263
IDOR: Accessing playbook runs via the Playbooks Runs API
Description: A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of.

CVSS: MEDIUM (4.3)

EPSS Score: 0.06%

Source: CVE
December 7th, 2024 (6 months ago)

CVE-2023-2515
Privilege escalation to system admin via personal access tokens
Description: Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin

CVSS: MEDIUM (4.7)

EPSS Score: 0.11%

Source: CVE
December 7th, 2024 (6 months ago)

CVE-2023-2514
DB username/password revealed in application logs
Description: Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization. 

CVSS: MEDIUM (6.7)

EPSS Score: 0.12%

Source: CVE
December 7th, 2024 (6 months ago)

CVE-2023-2193
Oauth authorization codes do not expire when deauthorizing an oauth2 app
Description: Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.

CVSS: MEDIUM (6.5)

EPSS Score: 0.12%

Source: CVE
December 7th, 2024 (6 months ago)

CVE-2023-2000
Unrestricted navigation due to unvalidated mattermost server redirection
Description: Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website

CVSS: MEDIUM (5.4)

EPSS Score: 0.05%

Source: CVE
December 7th, 2024 (6 months ago)

CVE-2023-1777
Information disclosure in linked message previews
Description: Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.

CVSS: MEDIUM (6.5)

EPSS Score: 0.07%

Source: CVE
December 7th, 2024 (6 months ago)

CVE-2023-1775
Unsanitized events sent over Websocket to regular users in a High Availability environment
Description: When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.

CVSS: MEDIUM (4.3)

EPSS Score: 0.07%

Source: CVE
December 7th, 2024 (6 months ago)