CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2023-2793	Stack exhaustion in PreparePostForClientWithEmbedsAndImages Description: Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message. CVSS: MEDIUM (6.5) EPSS Score: 0.09% Source: CVE December 7th, 2024 (7 months ago)
CVE-2023-2792	Ephemeral messages return private channel contents in permalink previews Description: Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command. CVSS: MEDIUM (6.5) EPSS Score: 0.06% Source: CVE December 7th, 2024 (7 months ago)
CVE-2023-2791	Playbooks lets you edit arbitrary posts Description: When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post. CVSS: MEDIUM (4.3) EPSS Score: 0.05% Source: CVE December 7th, 2024 (7 months ago)
CVE-2023-2788	Deactivated user can retain access using oauth2 api Description: Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated. CVSS: MEDIUM (6.2) EPSS Score: 0.06% Source: CVE December 7th, 2024 (7 months ago)
CVE-2023-2787	Collapsed Reply Threads APIs leak message contents from private channels Description: Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API. CVSS: MEDIUM (6.5) EPSS Score: 0.06% Source: CVE December 7th, 2024 (7 months ago)
CVE-2023-2786	Channel commands execution doesn't properly verify permissions Description: Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands. CVSS: MEDIUM (4.3) EPSS Score: 0.05% Source: CVE December 7th, 2024 (7 months ago)
CVE-2023-2785	Specially crafted search query can cause large log entries in postgres Description: Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service CVSS: MEDIUM (4.3) EPSS Score: 0.05% Source: CVE December 7th, 2024 (7 months ago)
CVE-2023-2784	Apps Framework allows install requests from regular members via an internal path Description: Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps. CVSS: MEDIUM (4.2) EPSS Score: 0.05% Source: CVE December 7th, 2024 (7 months ago)
CVE-2023-2783	App Framework does not checks for the secret provided in the incoming webhook request Description: Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps. CVSS: MEDIUM (4.3) EPSS Score: 0.05% Source: CVE December 7th, 2024 (7 months ago)
CVE-2023-27561	runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an... Description: runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. CVSS: LOW (0.0) EPSS Score: 0.05% Source: CVE December 7th, 2024 (7 months ago)