Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-6459

Summary
Assigner-Mattermost
Assigner Org ID-9302f53e-dde5-4bf3-b2f2-a83f91ac0eee
Published At-06 Dec, 2023 | 08:11
Updated At-16 Dec, 2024 | 16:02
Rejected At-
Credits

Public endpoint /metrics of Calls plugin reveals channel IDs

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Mattermost
Assigner Org ID:9302f53e-dde5-4bf3-b2f2-a83f91ac0eee
Published At:06 Dec, 2023 | 08:11
Updated At:16 Dec, 2024 | 16:02
Rejected At:
▼CVE Numbering Authority (CNA)
Public endpoint /metrics of Calls plugin reveals channel IDs

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.

Affected Products
Vendor
Mattermost, Inc.Mattermost
Product
Mattermost
Default Status
unaffected
Versions
Affected
  • From 0 through 7.8.13 (semver)
  • From 0 through 8.1.4 (semver)
Unaffected
  • 8.1.5
  • 7.8.14
Problem Types
TypeCWE IDDescription
CWECWE-200CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Type: CWE
CWE ID: CWE-200
Description: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update Mattermost Server to versions 8.1.5, 7.8.14 or higher.

Configurations

Workarounds

Exploits

Credits

finder
DoyenSec
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://mattermost.com/security-updates
N/A
Hyperlink: https://mattermost.com/security-updates
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://mattermost.com/security-updates
x_transferred
Hyperlink: https://mattermost.com/security-updates
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:responsibledisclosure@mattermost.com
Published At:06 Dec, 2023 | 09:15
Updated At:12 Dec, 2023 | 19:23

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches

Mattermost, Inc.
mattermost
>>mattermost_server>>Versions before 7.8.14(exclusive)
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Mattermost, Inc.
mattermost
>>mattermost_server>>Versions from 8.0.0(inclusive) to 8.1.5(exclusive)
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE-200Secondaryresponsibledisclosure@mattermost.com
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-200
Type: Secondary
Source: responsibledisclosure@mattermost.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://mattermost.com/security-updatesresponsibledisclosure@mattermost.com
Vendor Advisory
Hyperlink: https://mattermost.com/security-updates
Source: responsibledisclosure@mattermost.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

1002Records found

CVE-2016-11075
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:27
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-39807
Matching Score-10
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-10
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.34% / 26.47%
||
7 Day CHG~0.00%
Published-03 Jul, 2024 | 08:31
Updated-02 Aug, 2024 | 04:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Channel IDs of archived/restored channels leaked via webhook events

Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-1777
Matching Score-10
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-10
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.54% / 41.26%
||
7 Day CHG~0.00%
Published-31 Mar, 2023 | 11:35
Updated-06 Dec, 2024 | 23:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information disclosure in linked message previews

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2017-18895
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 18:43
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-18887
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 18:10
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-18901
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 18:09
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-18902
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 18:43
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-46701
Matching Score-10
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-10
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 34.89%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 08:19
Updated-02 Aug, 2024 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inaccessible Post Information Leak via Run Timeline IDOR

Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2016-11068
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:24
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2019-20850
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.90% / 55.27%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 13:34
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Mobile Apps before 1.26.0. A view cache can persist on a device after a logout.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_mobilen/a
CWE ID-CWE-459
Incomplete Cleanup
CVE-2019-20849
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.90% / 55.27%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 13:33
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Mobile Apps before 1.26.0. Cookie data can persist on a device after a logout.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_mobilen/a
CWE ID-CWE-459
Incomplete Cleanup
CVE-2016-11076
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.87% / 54.42%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:27
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-295
Improper Certificate Validation
CVE-2019-20877
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 16:28
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CVE-2019-20866
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 15:13
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2025-3913
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 17.90%
||
7 Day CHG~0.00%
Published-29 May, 2025 | 15:10
Updated-03 Oct, 2025 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Team Privacy Settings Authorization Bypass in Mattermost Server

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-22445
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.5||LOW
EPSS-0.31% / 23.03%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 06:55
Updated-02 Oct, 2025 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Misleading UI for undefined admin console settings in Calls causes security confusion

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2023-2808
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 32.74%
||
7 Day CHG~0.00%
Published-29 May, 2023 | 09:07
Updated-06 Dec, 2024 | 23:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lack of URL normalization allows rendering previews for disallowed domains

Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-20
Improper Input Validation
CVE-2025-0503
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.23% / 14.24%
||
7 Day CHG~0.00%
Published-14 Feb, 2025 | 17:52
Updated-29 Sep, 2025 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Leaked User IDs and Metadata of Deleted DMs

Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2024-39772
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.7||LOW
EPSS-0.31% / 23.06%
||
7 Day CHG~0.00%
Published-16 Sep, 2024 | 14:27
Updated-01 Nov, 2024 | 14:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Silent Desktop Screenshot Capture

Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_desktopMattermost
CWE ID-CWE-284
Improper Access Control
CVE-2020-14457
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.89%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 13:13
Updated-04 Aug, 2024 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CVE-2020-14452
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-1.28% / 66.47%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 13:09
Updated-04 Aug, 2024 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-0903
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.80% / 51.93%
||
7 Day CHG~0.00%
Published-09 Mar, 2022 | 15:17
Updated-06 Dec, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stack overflow in SAML login in Mattermost

A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-787
Out-of-bounds Write
CVE-2023-5875
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.7||LOW
EPSS-0.33% / 24.72%
||
7 Day CHG~0.00%
Published-02 Nov, 2023 | 08:27
Updated-05 Sep, 2024 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lack of Hardening against media exploitation from a remote origin

Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_desktopMattermost Desktop
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2023-5331
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 23.71%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 10:40
Updated-05 Sep, 2024 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Information Leak via IDOR in file_id in Draft Posts

Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-862
Missing Authorization
CVE-2016-11081
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.74% / 50.21%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:29
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2016-11066
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.14% / 62.79%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:23
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2016-11078
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.93% / 56.34%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:28
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-6346
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-8.7||HIGH
EPSS-0.29% / 20.75%
||
7 Day CHG~0.00%
Published-18 May, 2026 | 08:37
Updated-18 May, 2026 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sensitive credentials exposed in plaintext in Mattermost support packets

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-2401
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.69% / 48.33%
||
7 Day CHG~0.00%
Published-14 Jul, 2022 | 17:20
Updated-06 Dec, 2024 | 23:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Team members could access sensitive information of other users via an API call

Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-27266
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-2.7||LOW
EPSS-0.53% / 40.64%
||
7 Day CHG~0.00%
Published-27 Feb, 2023 | 14:46
Updated-06 Dec, 2024 | 23:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Disclosure of team owner email address when when accessing the teams API

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-3636
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 8.16%
||
7 Day CHG~0.00%
Published-22 May, 2026 | 10:23
Updated-22 May, 2026 | 17:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sanitize team member data returned by API

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API endpoints.. Mattermost Advisory ID: MMSA-2026-00626

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-13821
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.20% / 9.78%
||
7 Day CHG~0.00%
Published-16 Feb, 2026 | 11:57
Updated-18 Feb, 2026 | 21:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User profile update exposes password hash and MFA secrets

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-3433
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.82%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 15:46
Updated-18 Jun, 2026 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mattermost fails to scope role_updated websocket events to authorized team and channel members

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-12559
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 8.55%
||
7 Day CHG+0.01%
Published-27 Nov, 2025 | 16:36
Updated-03 Dec, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure in Common Teams API

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-11794
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.24% / 15.45%
||
7 Day CHG~0.00%
Published-14 Nov, 2025 | 10:45
Updated-01 Dec, 2025 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Password hash and MFA secret returned in user email verification endpoint

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-6347
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-7.6||HIGH
EPSS-0.26% / 16.96%
||
7 Day CHG~0.00%
Published-18 May, 2026 | 08:30
Updated-18 May, 2026 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mattermost Calls plugin exposes TURN server credentials in plaintext in support packets

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-6046
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 8.82%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 15:52
Updated-18 Jun, 2026 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-27265
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-2.7||LOW
EPSS-0.53% / 40.64%
||
7 Day CHG~0.00%
Published-27 Feb, 2023 | 14:46
Updated-06 Dec, 2024 | 23:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Disclosure of team owner email address when regenerating Invite ID

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2023-2281
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.47% / 37.63%
||
7 Day CHG~0.00%
Published-25 Apr, 2023 | 13:04
Updated-06 Dec, 2024 | 23:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Archiving a team broadcasts unsanitized data over WebSockets

When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2021-37867
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.67% / 47.51%
||
7 Day CHG~0.00%
Published-18 Jan, 2022 | 16:52
Updated-06 Dec, 2024 | 23:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Emails of all users are exposed via one of the Boards APIs

Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive & private information disclosure.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_boardsMattermost Boards
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-6727
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.41% / 32.90%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 10:53
Updated-24 May, 2025 | 10:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Leak Inaccessible Playbook Information via Channel Action IDOR

Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked. 

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-2476
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-7.6||HIGH
EPSS-0.18% / 7.69%
||
7 Day CHG~0.00%
Published-16 Mar, 2026 | 11:11
Updated-20 Mar, 2026 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MS Teams plugin sensitive config values not properly masked in support packets

Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606

Action-Not Available
Vendor-Mattermost, Inc.
Product-ms_teamsMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-1831
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-7.2||HIGH
EPSS-0.42% / 33.80%
||
7 Day CHG~0.00%
Published-17 Apr, 2023 | 14:21
Updated-06 Dec, 2024 | 23:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User password logged in audit logs

Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2023-1562
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-3.5||LOW
EPSS-0.46% / 36.89%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 10:16
Updated-06 Dec, 2024 | 23:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Full name revealed via /plugins/focalboard/api/v2/users

Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2023-5160
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 28.04%
||
7 Day CHG~0.00%
Published-02 Oct, 2023 | 10:46
Updated-05 Sep, 2024 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Full name disclosure via team top membership with Show Full Name option disabled

Mattermost fails to check the Show Full Name option at the /api/v4/teams/TEAM_ID/top/team_members endpoint allowing a member to get the full name of another user even if the Show Full Name option was disabled

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-52032
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 20.62%
||
7 Day CHG~0.00%
Published-09 Nov, 2024 | 17:19
Updated-14 Nov, 2024 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Private channel names leaking when Elasticsearch is enabled

Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels names of channels that they are not a member of, when Elasticsearch v8 was enabled.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-43754
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 39.49%
||
7 Day CHG~0.00%
Published-27 Nov, 2023 | 09:11
Updated-02 Aug, 2024 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Permalink previews displayed for posts in archived channels even if users are disallowed to view archived channels

Mattermost fails to check whether the  “Allow users to view archived channels”  setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels” setting is disabled. 

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2018-21260
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-2.7||LOW
EPSS-0.74% / 50.02%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 16:49
Updated-05 Aug, 2024 | 12:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-2792
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.62% / 45.14%
||
7 Day CHG~0.00%
Published-16 Jun, 2023 | 09:01
Updated-06 Dec, 2024 | 23:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ephemeral messages return private channel contents in permalink previews

Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-2514
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.55% / 41.82%
||
7 Day CHG~0.00%
Published-12 May, 2023 | 08:56
Updated-06 Dec, 2024 | 23:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DB username/password revealed in application logs

Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization. 

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 20
  • 21
  • Next
Details not found