Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-5875

Summary
Assigner-Mattermost
Assigner Org ID-9302f53e-dde5-4bf3-b2f2-a83f91ac0eee
Published At-02 Nov, 2023 | 08:27
Updated At-05 Sep, 2024 | 18:12
Rejected At-
Credits

Lack of Hardening against media exploitation from a remote origin

Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Mattermost
Assigner Org ID:9302f53e-dde5-4bf3-b2f2-a83f91ac0eee
Published At:02 Nov, 2023 | 08:27
Updated At:05 Sep, 2024 | 18:12
Rejected At:
▼CVE Numbering Authority (CNA)
Lack of Hardening against media exploitation from a remote origin

Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server

Affected Products
Vendor
Mattermost, Inc.Mattermost
Product
Mattermost Desktop
Default Status
unaffected
Versions
Affected
  • From 0 through 5.5.0 (semver)
Unaffected
  • 5.5.1
Problem Types
TypeCWE IDDescription
CWECWE-693CWE-693: Protection Mechanism Failure
Type: CWE
CWE ID: CWE-693
Description: CWE-693: Protection Mechanism Failure
Metrics
VersionBase scoreBase severityVector
3.13.7LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update Mattermost Desktop to versions 5.5.1 or higher.

Configurations

Workarounds

Exploits

Credits

finder
DoyenSec
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://mattermost.com/security-updates
N/A
Hyperlink: https://mattermost.com/security-updates
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://mattermost.com/security-updates
x_transferred
Hyperlink: https://mattermost.com/security-updates
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:responsibledisclosure@mattermost.com
Published At:02 Nov, 2023 | 09:15
Updated At:09 Nov, 2023 | 17:46

Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Secondary3.13.7LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches

Mattermost, Inc.
mattermost
>>mattermost_desktop>>Versions before 5.5.1(exclusive)
cpe:2.3:a:mattermost:mattermost_desktop:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-OtherPrimarynvd@nist.gov
CWE-693Secondaryresponsibledisclosure@mattermost.com
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-693
Type: Secondary
Source: responsibledisclosure@mattermost.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://mattermost.com/security-updatesresponsibledisclosure@mattermost.com
Vendor Advisory
Hyperlink: https://mattermost.com/security-updates
Source: responsibledisclosure@mattermost.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

56Records found

CVE-2016-11068
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:24
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2016-11075
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:27
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-20850
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.90% / 55.27%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 13:34
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Mobile Apps before 1.26.0. A view cache can persist on a device after a logout.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_mobilen/a
CWE ID-CWE-459
Incomplete Cleanup
CVE-2019-20849
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.90% / 55.27%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 13:33
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Mobile Apps before 1.26.0. Cookie data can persist on a device after a logout.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_mobilen/a
CWE ID-CWE-459
Incomplete Cleanup
CVE-2016-11076
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.87% / 54.42%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:27
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2019-20877
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 16:28
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CVE-2019-20866
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 15:13
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2025-3913
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 17.90%
||
7 Day CHG~0.00%
Published-29 May, 2025 | 15:10
Updated-03 Oct, 2025 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Team Privacy Settings Authorization Bypass in Mattermost Server

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-22445
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.5||LOW
EPSS-0.31% / 23.03%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 06:55
Updated-02 Oct, 2025 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Misleading UI for undefined admin console settings in Calls causes security confusion

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2023-2808
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 32.74%
||
7 Day CHG~0.00%
Published-29 May, 2023 | 09:07
Updated-06 Dec, 2024 | 23:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lack of URL normalization allows rendering previews for disallowed domains

Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-20
Improper Input Validation
CVE-2025-0503
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.23% / 14.24%
||
7 Day CHG~0.00%
Published-14 Feb, 2025 | 17:52
Updated-29 Sep, 2025 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Leaked User IDs and Metadata of Deleted DMs

Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2023-6459
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.53% / 41.10%
||
7 Day CHG~0.00%
Published-06 Dec, 2023 | 08:11
Updated-16 Dec, 2024 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Public endpoint /metrics of Calls plugin reveals channel IDs

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-39807
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.34% / 26.47%
||
7 Day CHG~0.00%
Published-03 Jul, 2024 | 08:31
Updated-02 Aug, 2024 | 04:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Channel IDs of archived/restored channels leaked via webhook events

Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-39772
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.7||LOW
EPSS-0.31% / 23.06%
||
7 Day CHG~0.00%
Published-16 Sep, 2024 | 14:27
Updated-01 Nov, 2024 | 14:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Silent Desktop Screenshot Capture

Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_desktopMattermost
CWE ID-CWE-284
Improper Access Control
CVE-2025-54499
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.25% / 15.69%
||
7 Day CHG~0.00%
Published-16 Oct, 2025 | 08:17
Updated-21 Oct, 2025 | 17:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure string comparison enables timing attacks

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-208
Observable Timing Discrepancy
CVE-2020-14457
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 13:13
Updated-04 Aug, 2024 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CVE-2020-14452
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-1.28% / 66.47%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 13:09
Updated-04 Aug, 2024 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2018-21249
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-3.7||LOW
EPSS-0.73% / 49.72%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 16:47
Updated-05 Aug, 2024 | 12:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CVE-2022-0903
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.80% / 51.93%
||
7 Day CHG~0.00%
Published-09 Mar, 2022 | 15:17
Updated-06 Dec, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stack overflow in SAML login in Mattermost

A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-787
Out-of-bounds Write
CVE-2023-1777
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.54% / 41.26%
||
7 Day CHG~0.00%
Published-31 Mar, 2023 | 11:35
Updated-06 Dec, 2024 | 23:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information disclosure in linked message previews

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2017-18895
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 18:43
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-18887
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 18:10
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-18901
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 18:09
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-32939
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.54%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 06:29
Updated-23 Aug, 2024 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Email addresses of remote users visible in props regardless of server settings

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server."

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2025-53857
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.7||LOW
EPSS-0.19% / 9.13%
||
7 Day CHG~0.00%
Published-11 Aug, 2025 | 18:57
Updated-25 Sep, 2025 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lack of Authorization on Get Channel Subscriptions for Autocomplete in Mattermost Confluence Plugin

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint.

Action-Not Available
Vendor-Mattermost, Inc.
Product-confluenceMattermost Confluence Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-49221
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.7||LOW
EPSS-0.23% / 13.98%
||
7 Day CHG~0.00%
Published-11 Aug, 2025 | 18:56
Updated-24 Sep, 2025 | 20:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Access to Channel Subscription in Mattermost Confluence Plugin

Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via API call to GET subscription endpoint.

Action-Not Available
Vendor-Mattermost, Inc.
Product-confluenceMattermost Confluence Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2017-18902
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 18:43
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-5331
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 23.71%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 10:40
Updated-05 Sep, 2024 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Information Leak via IDOR in file_id in Draft Posts

Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-862
Missing Authorization
CVE-2023-46701
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 34.89%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 08:19
Updated-02 Aug, 2024 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inaccessible Post Information Leak via Run Timeline IDOR

Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-13326
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-3.9||LOW
EPSS-0.09% / 0.73%
||
7 Day CHG~0.00%
Published-17 Dec, 2025 | 18:14
Updated-18 Dec, 2025 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mattermost Desktop App fails to enable Hardened Runtime when packaged for Mac App Store

Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_desktopMattermost
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-3472
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-3.5||LOW
EPSS-0.19% / 9.32%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:42
Updated-29 Jun, 2026 | 19:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Markdown image rendering bypass in AI bot tool result posts in Mattermost

Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim's client.. Mattermost Advisory ID: MMSA-2026-00619

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2024-45835
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-2.5||LOW
EPSS-0.21% / 10.55%
||
7 Day CHG~0.00%
Published-16 Sep, 2024 | 14:27
Updated-01 Nov, 2024 | 14:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient Electron Fuses Configuration

Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_desktopMattermost
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2024-45833
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.5||MEDIUM
EPSS-0.33% / 24.54%
||
7 Day CHG~0.00%
Published-16 Sep, 2024 | 06:41
Updated-23 Sep, 2024 | 13:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mobile password gets saved in dictionary under conditions

Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_mobileMattermost
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2024-39836
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.26% / 17.50%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 06:27
Updated-23 Aug, 2024 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Munged email address used for password resets and notifications

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2024-37182
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.30% / 21.75%
||
7 Day CHG~0.00%
Published-14 Jun, 2024 | 08:39
Updated-07 Aug, 2024 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lack of permissions prompting when opening external URLs

Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_desktopMattermost
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2024-36287
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-3.8||LOW
EPSS-0.19% / 8.90%
||
7 Day CHG~0.00%
Published-14 Jun, 2024 | 08:39
Updated-07 Aug, 2024 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bypass of TCC restrictions on macOS

Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS.

Action-Not Available
Vendor-Mattermost, Inc.Apple Inc.
Product-mattermost_desktopmacosMattermost
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-53949
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 11.76%
||
7 Day CHG~0.00%
Published-24 Jun, 2026 | 18:05
Updated-25 Jun, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ghost Content API filter bypass reveals private fields

Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully accessible. If MySQL was used as the database the password hashes' case (uppercase / lowercase) would have been lost, which would likely have rendered a further brute force attack on the discovered hashes fruitless. This vulnerability is fixed in 6.21.2.

Action-Not Available
Vendor-TryGhost
Product-Ghost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-47676
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 17.30%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 15:26
Updated-29 May, 2026 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21.

Action-Not Available
Vendor-honohonojs
Product-honohono
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-44646
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 18.73%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 22:25
Updated-22 Jun, 2026 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LiquidJS: `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn() creates a child Context for the {% render %} tag but does not propagate the parent context's resolved ownPropertyOnly value, resulting in a silent bypass. The new context re-derives ownPropertyOnly from opts.ownPropertyOnly (the instance-level option), silently discarding any RenderOptions.ownPropertyOnly override that was supplied to parseAndRender(). As a result, a developer who runs a Liquid instance with the backwards-compatible ownPropertyOnly:false and then locks down an untrusted render with parseAndRender(..., { ownPropertyOnly: true }) still leaks prototype-chain properties from inside any {% render %} partial. This is a distinct exploit surface from the previously identified array-filter variants (where, reject, group_by, find, find_index, has) — the underlying root cause in Context.spawn() is shared, but {% render %} is a separately reachable sink that needs no filter usage. This issue has been fixed in version 10.26.0.

Action-Not Available
Vendor-harttle
Product-liquidjs
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-44003
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 16.00%
||
7 Day CHG~0.00%
Published-13 May, 2026 | 17:30
Updated-13 May, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: Transformer Fast-Path Bypass Exposes Internal State Variable

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable, which exposes internal security functions (handleException, wrapWith, import). This vulnerability is fixed in 3.11.0.

Action-Not Available
Vendor-patriksimek
Product-vm2
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2025-12909
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 7.54%
||
7 Day CHG~0.00%
Published-07 Nov, 2025 | 23:23
Updated-21 Nov, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient policy enforcement in Devtools in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to leak cross-origin data via Devtools. (Chromium security severity: Low)

Action-Not Available
Vendor-Google LLC
Product-chromeChrome
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2025-11260
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.30% / 21.77%
||
7 Day CHG+0.01%
Published-13 Nov, 2025 | 08:27
Updated-08 Apr, 2026 | 17:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Headless CMS Framework <= 1.15 - Unauthenticated Protection Mechanism Bypass

The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15. This is due to the plugin only checking for the existence of the Authorization header in a request when determining if the nonce protection should be bypassed. This makes it possible for unauthenticated attackers to access content they should not have access to.

Action-Not Available
Vendor-benmoody
Product-WP Headless CMS Framework
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2024-0681
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.61% / 45.03%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-08 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Page Restriction WordPress (WP) – Protect WP Pages/Post <= 1.3.4 - Protection Mechanism Bypass

The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.3.4. This is due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected pages. The vendor has decided that they will not implement REST API protection on posts and pages and the restrictions will only apply to the front-end of the site. The vendors solution was to add notices throughout the dashboard and recommends installing the WordPress REST API Authentication plugin for REST API coverage.

Action-Not Available
Vendor-miniorangecyberlord92miniorange
Product-page_restrictionPage and Post Restrictionpage_restriction
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2024-0680
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.60% / 44.49%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 08:33
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Private Content Plus <= 3.6 - Protection Mechanism Bypass

The WP Private Content Plus plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 3.6. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected posts.

Action-Not Available
Vendor-wpexpertdevelopernimeshrmr
Product-wp_private_content_plusWP Private Content Plus
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2024-6741
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-5.8||MEDIUM
EPSS-0.64% / 46.37%
||
7 Day CHG~0.00%
Published-15 Jul, 2024 | 08:26
Updated-01 Aug, 2024 | 21:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Openfind Mail2000 - HttpOnly flag bypass

Openfind's Mail2000 has a vulnerability that allows the HttpOnly flag to be bypassed. Unauthenticated remote attackers can exploit this vulnerability using specific JavaScript code to obtain the session cookie with the HttpOnly flag enabled.

Action-Not Available
Vendor-openfindOpenfindopenfind
Product-mail2000Mail2000 V7.0Mail2000 V8.0mail2000
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2013-0431
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.3||MEDIUM
EPSS-89.99% / 99.78%
||
7 Day CHG~0.00%
Published-31 Jan, 2013 | 14:10
Updated-21 Apr, 2026 | 19:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-06-15||Apply updates per vendor instructions.

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.

Action-Not Available
Vendor-n/aOracle Corporation
Product-openjdkjren/aJava Runtime Environment (JRE)
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2022-43435
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-0.62% / 45.18%
||
7 Day CHG~0.00%
Published-19 Oct, 2022 | 00:00
Updated-08 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

Action-Not Available
Vendor-Jenkins
Product-360_firelineJenkins 360 FireLine Plugin
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2022-43434
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-0.64% / 46.13%
||
7 Day CHG~0.00%
Published-19 Oct, 2022 | 00:00
Updated-08 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

Action-Not Available
Vendor-Jenkins
Product-neuvector_vulnerability_scannerJenkins NeuVector Vulnerability Scanner Plugin
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2025-52615
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-3.5||LOW
EPSS-0.19% / 9.08%
||
7 Day CHG~0.00%
Published-12 Oct, 2025 | 08:18
Updated-20 Oct, 2025 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Unica Platform is impacted by misconfigured security related HTTP headers

HCL Unica Platform is impacted by misconfigured security related HTTP headers. This can lead to less secure browser default treatment for the policies controlled by these headers.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-unicaUnica Platform
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2022-43424
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-0.65% / 46.49%
||
7 Day CHG~0.00%
Published-19 Oct, 2022 | 00:00
Updated-08 May, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

Action-Not Available
Vendor-Jenkins
Product-jenkinscompuware_xpediter_code_coverageJenkins Compuware Xpediter Code Coverage Plugin
CWE ID-CWE-693
Protection Mechanism Failure
  • Previous
  • 1
  • 2
  • Next
Details not found