pkg:Bitnami/mattermost

104 total CVEsHIGH21MEDIUM62LOW21

✅ Check your installed version

All known vulnerabilities

  • HIGH8.8CVE-2024-2450Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ow…
    >= 8.1.0, < 8.1.10, >= 9.2.0, < 9.2.6, >= 9.3.0, < 9.3.2, >= 9.4.0, < 9.4.3 | >= 9.5.0, <= 9.5.0
  • HIGH8.8CVE-2023-45316Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID,…
    from 0, < 7.8.15, >= 8.0.0, < 8.1.6, >= 9.0.0, < 9.0.4, >= 9.1.1, < 9.1.3, >= 9.2.0, < 9.2.2
  • HIGH8.8CVE-2023-2515Mattermost Incorrect Authorization vulnerability
    from 0, < 7.1.8, >= 7.2.0, < 7.7.4, >= 7.8.0, < 7.8.3, >= 7.9.0, < 7.9.2
  • HIGH8.8CVE-2022-1384Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server
    from 0, < 6.5.0
  • HIGH8.2CVE-2023-3591Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.
    >= 7.8.0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
  • HIGH8.2CVE-2023-4478Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as ina…
    from 0, < 7.8.9, >= 7.9.0, < 7.10.5 | >= 8.0.0, <= 8.0.0
  • HIGH8.1CVE-2023-3581Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket A…
    >= 7.8.0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
  • HIGH7.5CVE-2025-25068Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
    >= 9.11.0, < 10.0.0, >= 10.3.0, < 10.5.1
  • HIGH7.5CVE-2020-14447An issue was discovered in Mattermost Server before 5.23.0.
    from 0, < 5.23.0
  • HIGH7.5CVE-2020-14448An issue was discovered in Mattermost Server before 5.23.0.
    from 0, < 5.23.0
  • HIGH7.5CVE-2020-14450An issue was discovered in Mattermost Server before 5.22.0.
    from 0, < 5.22.0
  • HIGH7.5CVE-2020-14453An issue was discovered in Mattermost Server before 5.21.0.
    from 0, < 5.21.0
  • HIGH7.5CVE-2020-14458An issue was discovered in Mattermost Server before 5.19.0.
    from 0, < 5.19.0
  • HIGH7.5CVE-2020-14459An issue was discovered in Mattermost Server before 5.19.0.
    from 0, < 5.19.0
  • HIGH7.5CVE-2022-0903A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash…
    from 0, < 5.37.8, >= 6.0.0, < 6.1.3, >= 6.2.0, < 6.2.3, >= 6.3.0, < 6.3.3
  • HIGH7.5CVE-2023-1831Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the exp…
    from 0, < 7.7.3, >= 7.8.0, < 7.8.2 | >= 7.9.0, <= 7.9.0
  • HIGH7.5CVE-2023-3590Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.
    >= 7.10.0, < 7.10.3
  • HIGH7.5CVE-2023-45847Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially cr…
    from 0, < 7.8.15, >= 8.0.0, < 8.1.6, >= 9.0.0, < 9.0.4, >= 9.1.1, < 9.1.3, >= 9.2.0, < 9.2.2
  • HIGH7.5CVE-2023-49607Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updat…
    from 0, < 7.8.15, >= 8.0.0, < 8.1.6, >= 9.0.0, < 9.0.4, >= 9.1.0, < 9.1.3, >= 9.2.0, < 9.2.2
  • HIGH7.5CVE-2023-5330Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted req…
    from 0, < 7.8.11, >= 8.0.0, < 8.0.3, >= 8.1.0, < 8.1.2
  • HIGH7.1CVE-2023-6458Mattermost Injection vulnerability
    from 0, < 7.8.14, >= 8.0.0, < 8.1.5, >= 9.0.0, < 9.0.3, >= 9.1.0, < 9.1.2
  • MEDIUM6.5CVE-2024-2447Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
    >= 8.1.0, < 8.1.11, >= 9.3.0, < 9.3.3, >= 9.4.0, < 9.4.4, >= 9.5.0, < 9.5.2
  • MEDIUM6.5CVE-2020-14460An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8.
    from 0, < 5.9.8, >= 5.16.0, < 5.16.5, >= 5.17.0, < 5.17.3, >= 5.18.0, < 5.18.1 | >= 5.19.0-rc1, <= 5.19.0-rc1, >= 5.19.0-rc2, <= 5.19.0-rc2, >= 5.19.0-rc3, <= 5.19.0-rc3
  • MEDIUM6.5CVE-2022-0904A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the s…
    >= 5.0.0, < 5.37.8, >= 6.0.0, < 6.1.3, >= 6.2.0, < 6.2.3, >= 6.3.0, < 6.3.3
  • MEDIUM6.5CVE-2022-3147Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows aut…
    from 0, < 7.1.0
  • MEDIUM6.5CVE-2023-3593Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input.
    >= 7.8.0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
  • MEDIUM6.5CVE-2023-49809Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to t…
    from 0, < 8.1.6, >= 9.0.0, < 9.1.1
  • MEDIUM6.5CVE-2023-5333Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash…
    from 0, < 7.8.11, >= 8.0.0, < 8.0.3, >= 8.1.0, < 8.1.2
  • MEDIUM6.5CVE-2023-1775Mattermost vulnerable to information disclosure
    from 0, < 7.1.6 | >= 7.7.1, <= 7.7.1
  • MEDIUM6.5CVE-2022-3257Mattermost subject to Denial of Service via upload of special GIF
    from 0, < 7.2.0
  • MEDIUM6.5CVE-2022-2401Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server
    from 0, < 6.3.9, >= 6.4.0, < 6.5.2 | >= 6.6.0, <= 6.6.0, >= 6.6.1, <= 6.6.1, >= 6.7.0, <= 6.7.0
  • MEDIUM6.5CVE-2022-1982Uncontrolled Resource Consumption in Mattermost server
    >= 5.0.0, < 6.3.8, >= 6.4.0, < 6.4.3 | >= 6.5.0, <= 6.5.0, >= 6.6.0, <= 6.6.0
  • MEDIUM6.5CVE-2022-1337Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server
    >= 5.37.0, < 5.37.9, >= 6.2.0, < 6.2.5, >= 6.3.0, < 6.3.5, >= 6.4.0, < 6.4.2
  • MEDIUM6.1CVE-2024-2445Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x bef…
    >= 8.1.0, < 8.1.10, >= 9.2.0, < 9.2.6, >= 9.3.0, < 9.3.2, >= 9.4.0, < 9.4.3
  • MEDIUM6.1CVE-2023-1421A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX request…
    >= 5.32.0, < 7.7.0
  • MEDIUM6.0CVE-2024-42497Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server
    >= 9.5.0, < 9.5.8, >= 9.8.0, < 9.8.3, >= 9.9.0, < 9.9.2 | >= 9.10.0, <= 9.10.0
  • MEDIUM5.7CVE-2021-37863Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a…
    from 0, < 6.0.1
  • MEDIUM5.5CVE-2024-41144Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
    >= 9.5.0, < 9.5.7, >= 9.7.0, < 9.7.6, >= 9.8.0, < 9.8.2 | >= 9.9.0, <= 9.9.0
  • MEDIUM5.4CVE-2025-27933Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server
    >= 9.11.0, < 10.0.0, >= 10.3.0, < 10.5.1
  • MEDIUM5.4CVE-2024-42406Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing…
    >= 9.5.0, < 9.5.9, >= 9.9.0, < 9.9.3, >= 9.10.0, < 9.10.2 | >= 9.11.0-rc1, <= 9.11.0-rc1, >= 9.11.0-rc2, <= 9.11.0-rc2, >= 9.11.0-rc3, <= 9.11.0-rc3, >= 9.11.0, <= 9.11.0
  • MEDIUM5.4CVE-2024-45843Mattermost versions 9.5.x <= 9.5.8 fail to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, which allows an…
    >= 9.5.0, < 9.5.9
  • MEDIUM5.4CVE-2024-47003Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server
    >= 9.5.0, < 9.5.9 | >= 9.11.0-rc1, <= 9.11.0-rc1, >= 9.11.0-rc2, <= 9.11.0-rc2, >= 9.11.0-rc3, <= 9.11.0-rc3, >= 9.11.0, <= 9.11.0
  • MEDIUM5.4CVE-2021-37862Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into…
    from 0, < 6.0.1
  • MEDIUM5.4CVE-2023-3586Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previous…
    >= 7.8.0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
  • MEDIUM5.4CVE-2023-6547Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but…
    from 0, < 8.1.6, >= 9.2.0, < 9.2.2
  • MEDIUM5.4CVE-2023-1776Mattermost vulnerable to cross-site scripting (XSS)
    from 0, < 7.1.6 | >= 7.7.1, <= 7.7.1
  • MEDIUM5.4CVE-2023-1774Mattermost fails to properly authentication inviter's permissions to private channel
    from 0, < 7.1.6 | >= 7.7.1, <= 7.7.1
  • MEDIUM5.3CVE-2020-14452An issue was discovered in Mattermost Server before 5.21.0.
    from 0, < 5.21.0
  • MEDIUM5.3CVE-2022-2366Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate li…
    from 0, < 6.3.9, >= 6.4.0, < 6.5.2, >= 6.6.0, < 6.6.2 | >= 6.7.0, <= 6.7.0
  • MEDIUM5.3CVE-2023-46701Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plu…
    from 0, < 7.8.15, >= 8.0.0, < 8.1.6, >= 9.0.0, < 9.0.4, >= 9.1.1, < 9.1.3, >= 9.2.0, < 9.2.2
  • MEDIUM5.3CVE-2023-5331Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized…
    from 0, < 7.8.11, >= 8.0.0, < 8.0.3, >= 8.1.0, < 8.1.2
  • MEDIUM5.3CVE-2023-6459Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability
    from 0, < 7.8.14, >= 8.0.0, < 8.1.5
  • MEDIUM5.3CVE-2023-1777Mattermost vulnerable to information disclosure
    from 0, < 7.1.6 | >= 7.7.1, <= 7.7.1, >= 7.8.0, <= 7.8.0
  • MEDIUM5.3CVE-2020-14457Mattermost Server Sensitive Data Exposure in github.com/mattermost/mattermost
    from 0, < 5.20.0
  • MEDIUM4.8CVE-2024-36250Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to…
    >= 9.5.0, < 9.5.11, >= 9.11.0, < 9.11.3
  • MEDIUM4.7CVE-2024-29221Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server
    >= 8.1.0, < 8.1.11, >= 9.3.0, < 9.3.3, >= 9.4.0, < 9.4.4, >= 9.5.0, < 9.5.2
  • MEDIUM4.6CVE-2024-46872Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery
    >= 9.5.0, <= 9.5.9, >= 9.10.0, <= 9.10.2, >= 9.11.0, <= 9.11.1
  • MEDIUM4.6CVE-2022-1385Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server
    from 0, < 6.5.0
  • MEDIUM4.3CVE-2025-30179Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server
    >= 9.11.0, < 10.0.0, >= 10.3.0, < 10.5.1
  • MEDIUM4.3CVE-2025-25274Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server
    >= 9.11.0, < 10.0.0, >= 10.3.0, < 10.5.1
  • MEDIUM4.3CVE-2025-24920Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server
    >= 9.11.0, < 10.0.0, >= 10.3.0, < 10.5.1
  • MEDIUM4.3CVE-2024-2446Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-menti…
    >= 8.1.0, < 8.1.10, >= 9.2.0, < 9.2.6, >= 9.3.0, < 9.3.2, >= 9.4.0, < 9.4.3
  • MEDIUM4.3CVE-2024-42000Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api…
    >= 9.5.0, < 9.5.10, >= 9.10.0, < 9.10.3, >= 9.11.0, < 9.11.2 | >= 10.0.0-rc1, <= 10.0.0-rc1, >= 10.0.0-rc2, <= 10.0.0-rc2, >= 10.0.0-rc3, <= 10.0.0-rc3, >= 10.0.0-rc4, <= 10.0.0-rc4, >= 10.0.0, <= 10.0.0
  • MEDIUM4.3CVE-2024-52032Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in chann…
    >= 9.11.0, < 9.11.3 | >= 10.0.0-rc1, <= 10.0.0-rc1, >= 10.0.0-rc2, <= 10.0.0-rc2, >= 10.0.0-rc3, <= 10.0.0-rc3, >= 10.0.0-rc4, <= 10.0.0-rc4, >= 10.0.0, <= 10.0.0
  • MEDIUM4.3CVE-2024-47145Mattermost versions 9.5.x <= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which…
    >= 9.5.0, < 9.5.9
  • MEDIUM4.3CVE-2024-43780Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server
    >= 9.5.0, < 9.5.8, >= 9.8.0, < 9.8.3, >= 9.9.0, < 9.9.2 | >= 9.10.0, <= 9.10.0
  • MEDIUM4.3CVE-2024-39839Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
    >= 9.5.0, < 9.5.7, >= 9.7.0, < 9.7.6, >= 9.8.0, < 9.8.2 | >= 9.9.0, <= 9.9.0
  • MEDIUM4.3CVE-2024-28949Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server
    >= 8.1.0, < 8.1.11, >= 9.3.0, < 9.3.3, >= 9.4.0, < 9.4.4, >= 9.5.0, < 9.5.2
  • MEDIUM4.3CVE-2023-2281When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients.
    from 0, < 7.9.0
  • MEDIUM4.3CVE-2023-3577Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perfor…
    >= 7.8.0, < 7.8.7, >= 7.10.0, < 7.10.3
  • MEDIUM4.3CVE-2023-3582Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Boar…
    >= 7.8.0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
  • MEDIUM4.3CVE-2023-3585Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards lin…
    from 0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
  • MEDIUM4.3CVE-2023-49874Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks…
    from 0, < 7.8.15, >= 8.0.0, < 8.1.6, >= 9.0.0, < 9.0.4, >= 9.1.1, < 9.1.3, >= 9.2.0, < 9.2.2
  • MEDIUM4.3CVE-2023-6727Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to…
    from 0, < 8.1.6, >= 9.2.0, < 9.2.2
  • MEDIUM4.3CVE-2024-1942Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server
    >= 8.1.0, < 8.1.9, >= 9.2.0, < 9.2.5 | >= 9.3.0, <= 9.3.0
  • MEDIUM4.3CVE-2024-1953Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server
    >= 8.1.0, < 8.1.9, >= 9.2.0, < 9.2.5, >= 9.4.0, < 9.4.2 | >= 9.3.0, <= 9.3.0
  • MEDIUM4.3CVE-2024-23493Mattermost leaks details of AD/LDAP groups of a teams
    from 0, < 8.1.9, >= 9.0.0, < 9.2.5, >= 9.4.0, < 9.4.2 | >= 9.3.0-rc1, <= 9.3.0-rc1, >= 9.3.0-rc2, <= 9.3.0-rc2, >= 9.3.0, <= 9.3.0
  • MEDIUM4.3CVE-2024-24988Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server
    from 0, < 8.1.8, >= 9.0.0, < 9.1.5, >= 9.2.0, < 9.2.4
  • MEDIUM4.3CVE-2024-1402Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server
    from 0, < 9.6.1
  • MEDIUM4.3CVE-2023-47858Mattermost viewing archived public channels permissions vulnerability
    from 0, < 8.1.7, >= 9.0.0, < 9.0.5, >= 9.1.0, < 9.1.4, >= 9.2.0, < 9.2.3
  • MEDIUM4.3CVE-2023-48732Mattermost notified all users in the channel when using WebSockets to respond individually
    from 0, < 8.1.7
  • MEDIUM4.3CVE-2022-1332Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server
    >= 5.37.0, < 5.37.9, >= 6.2.0, < 6.2.5, >= 6.3.0, < 6.3.5, >= 6.4.0, < 6.4.2
  • MEDIUM4.1CVE-2024-41162Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server
    >= 9.5.0, < 9.5.7, >= 9.7.0, < 9.7.6, >= 9.8.0, < 9.8.2 | >= 9.9.0, <= 9.9.0
  • LOW3.8CVE-2024-39837Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server
    >= 9.5.0, < 9.5.7 | >= 9.9.0, <= 9.9.0
  • LOW3.7CVE-2024-39772Mattermost Desktop App fails to safeguard screen capture functionality
    from 0, < 5.9.0
  • LOW3.7CVE-2023-50333Mattermost allows demoted guests to change group names
    from 0, < 8.1.7
  • LOW3.7CVE-2023-7113Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server
    from 0, < 8.1.7
  • LOW3.5CVE-2023-3613Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts t…
    from 0, < 7.8.6, >= 7.9.0, < 7.10.3
  • LOW3.5CVE-2024-23319Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira
    from 0, < 9.6.1
  • LOW3.4CVE-2024-24774Mattermost Jira Plugin does not properly check security levels in github.com/mattermost/mattermost-plugin-jira
    from 0, < 9.6.1
  • LOW3.3CVE-2025-27715Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server
    >= 9.11.0, < 10.0.0
  • LOW3.3CVE-2023-3614Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making th…
    from 0, < 7.8.7, >= 7.9.0, < 7.9.5, >= 7.10.0, < 7.10.3
  • LOW3.1CVE-2024-21848Mattermost Server Improper Access Control
    >= 8.1.0, < 8.1.11
  • LOW3.1CVE-2024-28053Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server
    >= 8.1.0, < 8.1.10
  • LOW3.1CVE-2023-3584Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing…
    >= 7.8.0, < 7.8.5, >= 7.10.0, < 7.10.3
  • LOW3.1CVE-2024-1952Mattermost incorrectly allows access individual posts
    >= 8.1.0, < 8.1.9
  • LOW3.1CVE-2024-24776Mattermost fails to check the required permissions
    from 0, < 9.6.1
  • LOW2.7CVE-2024-40884Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server
    >= 9.5.0, < 9.5.8 | >= 9.10.0, <= 9.10.0
  • LOW2.7CVE-2024-41926Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
    >= 9.5.0, < 9.5.7 | >= 9.9.0, <= 9.9.0
  • LOW2.7CVE-2023-27265Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an…
    >= 5.12.0, < 7.7.0
  • LOW2.7CVE-2023-27266Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an…
    >= 5.12.0, < 7.7.0
  • LOW2.7CVE-2023-3587Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sha…
    >= 7.8.0, < 7.8.7, >= 7.10.0, < 7.10.3
  • LOW2.6CVE-2024-1949Mattermost race condition in github.com/mattermost/mattermost-server
    >= 8.1.0, < 8.1.9, >= 9.4.0, < 9.4.2
  • LOW2.5CVE-2024-45835Mattermost Desktop App fails to sufficiently configure Electron Fuses
    from 0, < 5.9.0