Mattermost 7.10.0
Approved changes feed: RSS · Atom
cpe:2.3:a:mattermost:mattermost:7.10.0:*:*:*:*:*:*:*
part: a version: 7.10.0 update: *
| Vendor | Mattermost (ed0788ef-af60-58f1-b6aa-68289d9946dc) |
|---|---|
| Product | Mattermost (fd9a4a2e-f26d-5cef-a4c3-f85b0b13d8ea) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/mattermost/mattermost-server |
purl2cpe | 2026-06-01 10:18:19.703950 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2023-2831 |
vulnerable | 2026-06-03 14:51:44.105425 |
Denial of Service while unescaping a Markdown string
MEDIUM (4.3)
Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters.
Published: 2023-06-16T09:06:15.292Z
Updated: 2024-12-06T22:59:43.137Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2797 |
vulnerable | 2026-06-03 14:51:43.909657 |
Path traversal in GitHub plugin's code preview feature
LOW (3.1)
Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel.
Published: 2023-06-16T09:03:17.656Z
Updated: 2024-12-06T22:59:54.420Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2793 |
vulnerable | 2026-06-03 14:51:43.897293 |
Stack exhaustion in PreparePostForClientWithEmbedsAndImages
MEDIUM (6.5)
Mattermost fails to validate links on external websites when constructing a preview for a linked website, allowing an attacker to cause a denial-of-service by a linking to a specially crafted webpage in a message.
Published: 2023-06-16T09:02:34.751Z
Updated: 2024-12-06T23:00:16.890Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2792 |
vulnerable | 2026-06-03 14:51:43.896862 |
Ephemeral messages return private channel contents in permalink previews
MEDIUM (6.5)
Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command.
Published: 2023-06-16T09:01:43.650Z
Updated: 2024-12-06T23:00:28.026Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2791 |
vulnerable | 2026-06-03 14:51:43.896331 |
Playbooks lets you edit arbitrary posts
MEDIUM (4.3)
When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post.
Published: 2023-06-16T08:59:16.854Z
Updated: 2024-12-06T23:00:39.136Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2788 |
vulnerable | 2026-06-03 14:51:43.888805 |
Deactivated user can retain access using oauth2 api
MEDIUM (6.2)
Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated.
Published: 2023-06-16T08:58:15.392Z
Updated: 2024-12-06T23:00:50.221Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2787 |
vulnerable | 2026-06-03 14:51:43.888395 |
Collapsed Reply Threads APIs leak message contents from private channels
MEDIUM (6.5)
Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API.
Published: 2023-06-16T08:55:39.391Z
Updated: 2024-12-06T23:03:17.719Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2786 |
vulnerable | 2026-06-03 14:51:43.888000 |
Channel commands execution doesn't properly verify permissions
MEDIUM (4.3)
Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands.
Published: 2023-06-16T08:43:49.826Z
Updated: 2024-12-06T23:03:28.990Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2785 |
vulnerable | 2026-06-03 14:51:43.887569 |
Specially crafted search query can cause large log entries in postgres
MEDIUM (4.3)
Mattermost fails to properly truncate the postgres error log message of a search query failure allowing an attacker to cause the creation of large log files which can result in Denial of Service
Published: 2023-06-16T09:07:28.235Z
Updated: 2024-12-06T22:59:34.763Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2784 |
vulnerable | 2026-06-03 14:51:43.887102 |
Apps Framework allows install requests from regular members via an internal path
MEDIUM (4.2)
Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps.
Published: 2023-06-16T08:41:59.270Z
Updated: 2024-12-06T23:03:40.088Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2783 |
vulnerable | 2026-06-03 14:51:43.886579 |
App Framework does not checks for the secret provided in the incoming webhook request
MEDIUM (4.3)
Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.
Published: 2023-06-16T08:39:26.096Z
Updated: 2024-12-06T23:03:51.327Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.