Mattermost Security Updates

To report security issues please see the Mattermost Responsible Disclosure Policy. To sign up for notifications when a security fix is released, please join our Security Bulletin mailing list.

Mattermost software undergoes security review and penetration testing by organizations preparing for deployment, by leaders in the global security research community, and through internal review and testing.

Feedback is responsibly shared to the product team in order to offer security updates to the Mattermost community prior to publicly disclosing issues on the Mattermost Security Updates page.

Note: To increase the safety of Mattermost users, specific details on security updates in Mattermost releases are announced 30 days after the availability of the update. We have a mandatory upgrade policy and only provide updates for the latest release.

Issues

Issue Identifier Severity Affected Versions Fix Release Date Fix Versions Issue Details Issue Platform
MMSA-2024-00303 Low <=2.13.0 2024-03-15 v2.14.0

Details on the security update will be posted here on April 15th, as per our Responsible Disclosure Policy.

Mattermost Mobile Apps
MMSA-2023-00256 Low <=8.1.10 2024-03-06 v9.5.0, 8.1.11

Details on the security update will be posted here on April 5th, as per our Responsible Disclosure Policy.

Mattermost Server
MMSA-2024-00306 Medium <=9.5.1, <=9.4.3, <=9.3.2, <=8.1.10 2024-03-06 v9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11

Details on the security update will be posted here on April 5th, as per our Responsible Disclosure Policy.

Mattermost Server
MMSA-2024-00311 Medium <=9.5.1, <=9.4.3, <=9.3.2, <=8.1.10 2024-03-06 v9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11

Details on the security update will be posted here on April 5th, as per our Responsible Disclosure Policy.

Mattermost Server
MMSA-2023-00274 Medium <=9.5.1, <=9.4.3, <=9.3.2, <=8.1.10 2024-03-06 v9.6.0, 9.5.2, 9.4.4, 9.3.3, 8.1.11

Details on the security update will be posted here on April 5th, as per our Responsible Disclosure Policy.

Mattermost Server
MMSA-2023-00277 Low <=2.12.0 2024-02-16 v2.13.0

(CWE-400) Fixed an issue where a very large code block could crash the mobile app, by limiting the size of the code block that will be processed by the syntax highlighter. Thanks to Gian Klug for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2024-00309 High <=9.5.0, <=9.4.2, <=9.3.1, <=9.2.5, <=8.1.9 2024-02-14 v9.5.1, 9.4.3, 9.3.2, 9.2.6, 8.1.10

(CWE-287) Fixed an issue where an existing user registered in a trusted identity provider could take over other user accounts under specific conditions. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2024-00296 Medium <=9.4.2, <=9.3.1, <=9.2.5, <=8.1.9 2024-02-14 v9.5.0, 9.4.3, 9.3.2, 9.2.6, 8.1.10

(CWE-400) Fixed an issue where a post with an extremely large number of mentions could crash the client app, by limiting the number of mention tokens we will parse per message. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00260 Medium <=9.4.2, <=9.3.1, <=9.2.5, <=8.1.9 2024-02-14 v9.5.0, 9.4.3, 9.3.2, 9.2.6, 8.1.10

(CWE-74) Fixed an issue where opening a malicious link could lead to client-side script execution on an error page. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00287 Low <=8.1.9 2024-02-14 v9.5.0, 8.1.10

(CWE-400) Fixed an issue where a very large email payload could crash the server, by limiting the size of the payload that can be read and parsed. Thanks to themarkib0x0 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00267 Low <=9.4.1, <=8.1.8 2024-01-30 v9.4.2, 8.1.9

(CWE-200) Fixed an issue where a race condition in post deletion could cause post contents to leak in permalink previews. Thanks to Agniva de Sarker for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00292 Low <=9.4.1, <=8.1.8 2024-01-30 v9.4.2, 8.1.9

(CWE-284) Fixed an issue where files of archived channels were accessible by members even if the “Allow users to view archived channels” option was disabled. Thanks to BhaRat for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00265 Low <=9.4.0, <=8.1.8 2024-01-30 v9.4.0, 8.1.9

(CWE-200) Fixed an issue where data associated with permalinks wasn’t being properly sanitized when editing ephemeral posts. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00290 Low <=9.4.0, <=8.1.8 2024-01-30 v9.4.0, 8.1.9

(CWE-74) Fixed an issue where lack of validation on the title of an attachment lead an HTML injection while rendering markdown in MessageAttachment component. Thanks to Tri (trichimtrich_) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00285 Medium <=9.4.1, <=9.3.0, <=9.2.4, <=8.1.8 2024-01-30 v9.4.2, 9.3.1, 9.2.5, 8.1.9

(CWE-284) Fixed an issue where lack of proper authorization led to existing guests of other teams being added to a team by members who didn’t have the “invite_guest” permission. Thanks to Eva Sarafianou for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00284 Medium <=9.4.1, <=9.3.0, <=9.2.4, <=8.1.8 2024-01-30 v9.4.2, 9.3.1, 9.2.5, 8.1.9

(CWE-200) Fixed an issue where team associated AD/LDAP groups were leaked due to missing authorization when fetching the groups details. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00273 Medium <=9.4.1, <=9.3.0, <=9.2.4, <=8.1.8 2024-01-30 v9.4.2, 9.3.1, 9.2.5, 8.1.9

(CWE-400) Fixed an issue where a large number of role names could be requested and cause the server to run out of memory. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00283 Medium <=9.3.0, <=9.2.4, <=8.1.8 2024-01-30 v9.4.0, 9.3.1, 9.2.5, 8.1.9

(CWE-284) Fixed an issue where permalinked message contents were sometimes returned to users who did not otherwise have access to the message. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00281 Medium <=9.3.0, <=9.2.4, <=8.1.8 2024-01-30 v9.4.0, 9.3.1, 9.2.5, 8.1.9

(CWE-400) Fixed an issue where setting a custom user status with an emoji value of a very long string multiple times consumed excessive resources possibly crashing the server. Thanks to Gian Klug for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00221 Medium <=9.3.0, <=9.2.4, <=8.1.8 2024-01-30 v9.4.0, 9.3.1, 9.2.5, 8.1.9

(CWE-284) Fixed an issue where compliance export was not being checked when getting access to posts/threads. Thanks to Eva Sarafianou for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00268 Low <=8.1.7 2024-01-09 v9.3.0, 8.1.8

(CWE-284) Fixed an issue where channel member counts could be leaked to a user without permissions. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00187 Low <=8.1.7 2024-01-09 v9.3.0, 8.1.8

(Authorization) Fixed an issue where an attacker with admin privileges could create a webhook to access all Jira issues. Thanks to Michael Kochell for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00194 Low <=8.1.7 2024-01-09 v9.3.0, 8.1.8

(CSRF) Fixed an issue where viewing a specially crafted post could disconnect a user in Mattermost from the Jira. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00276 Medium <=9.2.3, <=9.1.4, <=8.1.7 2024-01-09 v9.3.0, 9.2.4, 9.1.5, 8.1.8

(CWE-400) Fixed an issue where a large number of emoji reactions could cause denial of service. Thanks to Gian Klug (coderion) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00243 Low <=8.1.6 2023-11-29 v8.1.7

(CWE-200) Fixed an issue where the WebSocket would broadcast the information about who was notified about a post to everyone else in the channel, by introducing hooks that would scope the response to a specific user. Thanks to Daniel Espino Garcia for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00263 Low <=8.1.6 2023-11-29 v8.1.7

(CWE-284) Fixed an issue where freshly demoted guests could change group names. Thanks to Leandro Chaves for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00266 Low <=8.1.6 2023-11-29 v8.1.7

(CWE-79) Fixed an issue where crafted channel mentions in posts could lead to XSS. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00269 Medium <=9.2.2, <=9.1.3, <=9.0.4, <=8.1.6 2023-11-29 v9.2.3, 9.1.4, 9.0.5, 8.1.7

(CWE-284) Fixed an issue where archived channel names could be accessed without required permissions. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00253 High <=2.10.0 2023-11-29 v2.10.1

(CWE-74) Fixed an issue where an attacker could successfully trigger a path traversal leading to CSRF due to improper validation of deeplink path parameters. Thanks to DoyenSec for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2023-00271 Low <=8.1.5, <=9.2.1 2023-11-13 v9.2.2, 8.1.6

(CWE-284) Fixed an issue where playbooks could be accessed by users with permissions to the playbook but no permissions to the team the playbook was on. Thanks to Leandro Chaves for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00236 Low <=8.1.5, <=9.2.1 2023-11-13 v9.2.2, 8.1.6

(CWE-200) Fixed an issue where playbook actions could be created by users without access to the playbook. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00227 Low <=8.1.5, <=9.1.0 2023-11-13 v9.2.0, 8.1.6

(CWE-400) Fixed an issue where a member could disable the todo plugin by sending a specially crafted request that crashed the plugin a few times. Thanks to Ben Schumacher for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00245 High <=9.2.1, <=9.1.2, <=9.0.3, <=8.1.5, <=7.8.14 2023-11-13 v9.2.2, 9.1.3, 9.0.4, 8.1.6, 7.8.15

(CWE-352) Fixed a reflected client-side path traversal that was leading to a CSRF in the /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> endpoint of the Playbooks plugin. Thanks to DoyenSec for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00247 Medium <=9.2.1, <=9.1.2, <=9.0.3, <=8.1.5, <=7.8.14 2023-11-13 v9.2.2, 9.1.3, 9.0.4, 8.1.6, 7.8.15

(CWE-284) Fixed an issue where a guest could update the tasks of a private playbook run if they knew the run ID. Thanks to DoyenSec for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00231 Medium <=9.2.1, <=9.1.2, <=9.0.3, <=8.1.5, <=7.8.14 2023-11-13 v9.2.2, 9.1.3, 9.0.4, 8.1.6, 7.8.15

(CWE-400) Fixed an issue where an attacker could crash the playbooks plugin by setting a really long title in a run’s checklist. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00237 Medium <=9.2.1, <=9.1.2, <=9.0.3, <=8.1.5, <=7.8.14 2023-11-13 v9.2.2, 9.1.3, 9.0.4, 8.1.6, 7.8.15

(CWE-200) Fixed an issue where an attacker could get limited information about a post due to an IDOR in /plugins/playbooks/api/v0/runs/add-to-timeline-dialog. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00238 Medium <=9.2.1, <=9.1.2, <=9.0.3, <=8.1.5, <=7.8.14 2023-11-13 v9.2.2, 9.1.3, 9.0.4, 8.1.6, 7.8.15

(CWE-754) Fixed an issue where an attacker could crash the Playbook Plugin due to a missing interface type assertion when updating the status dialog. Thanks to vultza (vultza) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00250 Low <=7.8.13, <=8.1.4 2023-11-06 v8.1.5, 7.8.14

(CWE-200) Fixed an issue where the /metrics endpoint grouped calls by id and reported that id (which is also the channelID), thereby potentially revealing channelIDs. Thanks to DoyenSec for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00248 High <=9.1.1, <=9.0.2, <=8.1.4, <=7.8.13 2023-11-06 v9.1.2, 9.0.3, 8.1.5, 7.8.14

(CWE-74) Fixed an issue where route paramters were not validated, by adding some validation to ensure they are of the correct format (avoiding path traversal). Thanks to DoyenSec for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00198 Low <=7.8.12, <=8.1.3 2023-10-27 v8.1.4, 7.8.13

(CWE-284) Fixed an issue where, if settings allowed integrations to override the username and profile picture when posting, a member could also override the username and Icon when making a post even if the Hardened Mode setting was enabled. Thanks to Eva Sarafianou for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00228 Low <=7.8.12, <=8.1.3 2023-10-27 v8.1.4, 7.8.13

(CWE-74) Fixed an issue where the application was filling aria labels using `innerHTML`. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00216 Low <=7.8.12, <=8.1.3 2023-10-27 v8.1.4, 7.8.13

(CWE-200) Fixed an issue where a member could get the full name of another user even if the Show Full Name option was disabled by sending a request to /plugins/focalboard/api/v2/users/<user_id>?teamID=<team_id>&channelID=<channel_id>. Thanks to Pyae Phyo for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00233 Medium <=7.8.12, <=8.1.3, <=9.0.1, 9.1.0 2023-10-27 v9.1.1, 9.0.2, 8.1.4, 7.8.13

(CWE-400) Fixed an issue where specially crafted requests to /api/v4/image were logged, potentially overflowing the log. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00252 Medium <=7.8.12, <=8.1.3, <=9.0.1, 9.1.0 2023-10-27 v9.1.1, 9.0.2, 8.1.4, 7.8.13

(CWE-601) Fixed an issue where an open redirect was possible when the user clicked “Back to Mattermost” after providing a invalid custom url scheme in /oauth/{service}/mobile_login?redirect_to=. Thanks to DoyenSec for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00241 Medium <=7.8.12, <=8.1.3, <=9.0.1, 9.1.0 2023-10-27 v9.1.1, 9.0.2, 8.1.4, 7.8.13

(CWE-200) Fixed an issue where permalink previews were displayed for posts in archived channels, even if the “Allow users to view archived channels” option was disabled. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00254 Medium <=7.8.12, <=8.1.3, <=9.0.1, 9.1.0 2023-10-27 v9.1.1, 9.0.2, 8.1.4, 7.8.13

(CWE-284) Fixed an issue where a guest user knowing the ID of another user could get their information (e.g. name, surname, nickname) via Mattermost Boards by sending a request to POST /plugins/focalboard/api/v2/users. Thanks to DoyenSec for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00219 Medium <=7.8.12, <=8.1.3, <=9.0.1, 9.1.0 2023-10-27 v9.1.1, 9.0.2, 8.1.4, 7.8.13

(CWE-400) Fixed an issue where a member patching the field of a block using a specially crafted string could consume excessive resources which could lead to Denial of Service. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00218 Medium <=7.8.12, <=8.1.3, <=9.0.1, 9.1.0 2023-10-27 v9.1.1, 9.0.2, 8.1.4, 7.8.13

(CWE-400) Fixed an issue where a member importing a board using a specially crafted zip could consume excessive resources which could lead to Denial of Service. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00246 Medium <=8.1.2, <=8.0.3, <=7.8.11, 9.0.0 2023-10-06 v9.0.1, 8.1.3, 8.0.4, 7.8.12

(CWE-754) Fixed an issue where request without a UserAgent string would cause a panic in the Calls plugin. Thanks to DoyenSec for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00240 Medium <=8.1.2, <=8.0.3, <=7.8.11, 9.0.0 2023-10-06 v9.0.1, 8.1.3, 8.0.4, 7.8.12

(CWE-400) Fixed an issue where an attacker could fill up the memory due to caching large items by sending a specially crafted request to /api/v4/redirect_location. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00242 Medium <=8.1.2, <=8.0.3, <=7.8.11, 9.0.0 2023-10-06 v9.0.1, 8.1.3, 8.0.4, 7.8.12

(CWE-200) Fixed an issue where the response after updating the username included the password hash. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
N/A N/A N/A 2023-10-03 v5.5.1

Mitigated the vulnerability CVE-2023-4863 of the third-party library libwebp by updating to Electron v26.2.1.

Mattermost Desktop App
MMSA-2023-00255 Low <=5.5.0 2023-10-03 v5.5.1

(CWE-400) Fixed an issue where a RegExp was being built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service. Thanks to DoyenSec for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2023-00251 Low <=5.5.0 2023-10-03 v5.5.1

(CWE-693) Fixed an issue where the application was not correctly handling permissions, or prompting the user for certain sensitive ones. Thanks to DoyenSec for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2023-00249 Low <=5.5.0 2023-10-03 v5.5.1

(CWE-200) Fixed an issue where the application was not utilizing the secure keyboard input functionality provided by macOS, allowing for other processes to read the keyboard input. Thanks to DoyenSec for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
N/A N/A N/A 2023-10-02 v2.8.1

Mitigated the vulnerability CVE-2023-4863 of the third-party library libwebp by patching the react-native-fast-image library which resulted in the transient dependency libwebp being updated to a non-vulnerable version

Mattermost Mobile Apps
MMSA-2023-00253 High <=2.8.0 2023-10-02 v2.8.1

(CWE-74) Fixed an issue where an attacker could successfully trigger a path traversal leading to CSRF due to improper validation of deeplink path parameters. Thanks to DoyenSec for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2023-00235 Medium <5.5.0 2023-09-15 v5.5.0

(CWE-200) Fixed an issue where the Desktop App would default to the “Silly” logging level, potentially exposing all of the user’s keystrokes and filling up the user’s hard drive quickly. Thanks to Patrice Kolb for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2023-00226 Medium <2.8.0 2023-09-15 v2.8.0

(CWE-400) Fixed an issue where an attacker could cause a user’s Mattermost mobile app to freeze when visiting a channel with a specially crated emojis’ post. Thanks to Šimon Čecháček for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2023-00239 Medium <=8.1.1, <=v8.0.2, <=v7.8.10 2023-09-08 v8.1.2, 8.0.3, 7.8.11

(CWE-400) Fixed an issue where an simple user could cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00232 Medium <=8.1.1, <=v8.0.2, <=v7.8.10 2023-09-08 v8.1.2, 8.0.3, 7.8.11

(CWE-400) Fixed an issue where an attacker could send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable. Thanks to vulza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00234 Medium <=8.1.1, <=v8.0.2, <=v7.8.10 2023-09-08 v8.1.2, 8.0.3, 7.8.11

(CWE-284) Fixed an issue where the creator of an attached file was not checked when adding the file to a draft, thus potentially exposing unauthorized file information. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00210 Low <=8.1.0, <=v7.8.9 2023-09-01 v8.1.1, 7.8.10

(CWE-284) Fixed an issue where a User Manager role with user edit permissions could manage/update bots. Thanks to Pyae Phyo for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00217 Low <=8.1.0, <=v7.8.9 2023-09-01 v8.1.1, 7.8.10

(CWE-200) Fixed an issue where a member could get the full name of another user even if the Show Full Name option was disabled by sending a request to /api/v4/teams/<team_ID>/top/team_members?page=0&per_page=10&time_range=28_day. Thanks to Hack Cats for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00223 Low <=8.1.0, <=v7.8.9 2023-09-01 v8.1.1, 7.8.10

(CWE-284) Fixed an issue where a System/User Manager could deactivate or demote another System/User manager. Thanks to Pyae Phyo for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00222 Medium 8.1.0, <=8.0.1, <=v7.8.9 2023-09-01 v8.1.1, 8.0.2, 7.8.10

(CWE-284) Fixed an issue where a System Role with the permission to manage channels could read the posts of a DM conversation. Thanks to Pyae Phyo for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00230 Medium 8.1.0, <=8.0.1, <=v7.8.9 2023-09-01 v8.1.1, 8.0.2, 7.8.10

(CWE-284) Fixed an issue where a team member could soft delete other teams. Thanks to Jesse Hallam for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00224 Medium 8.1.0, <=8.0.1, <=v7.8.9 2023-09-01 v8.1.1, 8.0.2, 7.8.10

(CWE-400) Fixed an issue where an attacker could send a really long value for a notification_prop in the /api/v4/channels/<channel-id>/members/<user-id>/notify_props resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users. Thanks to vulza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00225 Medium 8.0.0, <=7.10.4, <=v7.8.8 2023-07-26 v8.0.1, 7.10.5, 7.8.9

(CWE-74) Fixed an issue where an attacker could register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. Thanks to 0AQD for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00207 Medium <=v7.10.3, <=v7.9.5, <= v7.8.7 2023-07-12 v7.10.4, 7.9.6, 7.8.8

(CWE-284) Fixed an issue where a user manager role with permissions to edit users could also update the system admin profile, including their email. Thanks to Pyae Phyo for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00214 Medium <=v7.10.3, <=v7.9.5, <= v7.8.7 2023-07-12 v7.10.4, 7.9.6, 7.8.8

(CWE-200) Fixed an issue where the audit logging wasn’t properly sanitizing post metadata. Thanks to Jo Astoreca for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00179 Medium <=v7.10.3, <=v7.9.5, <= v7.8.7 2023-07-12 v7.10.4, 7.9.6, 7.8.8

(CWE-284) Fixed an issue where attachments in posts of a thread where still accessible after the thread was deleted. Thanks to BhaRat (hackit_bharat) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00181 Medium <=v7.10.3, <=v7.9.5, <= v7.8.7 2023-07-12 v7.10.4, 7.9.6, 7.8.8

(CWE-284) Fixed an issue where a guest could perform various actions in public playbooks such as edit or archive. Thanks to Eva Sarafianou for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00220 High <=2.5.0 2023-06-23 v2.5.1

(CWE-319) Fixed an issue where the Mattermost iOS app failed to validate the server certificate properly while initializing the TLS connection allowing a network attacker to intercept the WebSockets connection. Thanks to aapo for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2023-00190 Medium <=7.10.2, <=7.9.4, <=7.8.6 2023-06-15 v7.10.3, 7.9.5, 7.8.7

(CWE-400) Fixed an issue where linking to specially crafted image file could consume a significant amount of server resources, making the server unresponsive for an extended period of time. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00175 Low <=7.8.6, <=7.10.2 2023-06-15 v7.10.3, 7.8.7

(CWE-284) Fixed an issue where a system admin could modify a board state in a way that any user with a valid sharing link could join the board with editor access, without the UI showing that inconsistent state. Thanks to Daniel Pallinger (danipalli) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00202 Low <=7.8.6, <=7.10.2 2023-06-15 v7.10.3, 7.8.7

(CWE-918) Fixed an issue where an attacker could performed a limited blind SSRF to localhost/intranet using interactive dialog implementation. Thanks to WGh for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00174 Low <=v7.10.2 2023-06-15 v7.10.3

(CWE-284) Fixed an issue where Mattermost Boards fails to delete card attachments, allowing an attacker to access deleted attachments. Thanks to hackit_bharat for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00169 Low <=7.8.4, <=7.10.2 2023-06-15 v7.10.3, 7.8.5

(CWE-284) Fixed an issue where Mattermost allows an authenticated attacker with knowledge of a Team Override Scheme ID can create a new team with said team override scheme. Thanks to ramyadav (cenman) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00186 Low <=7.8.5, <=7.10.2 2023-06-15 v7.10.3, 7.8.6

(CWE-284) Fixed an issue where the welcomebot invited and added guest accounts to channels by default. Thanks to Jason Frerich for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00200 Medium <=7.8.6, <=7.9.4, <=7.10.2 2023-06-15 v7.8.7, 7.9.5, 7.10.3

(CWE-284) Fixed an issue where an attacker with HTTP MitM access on Mattermost could access the access the websocket APIs. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00178 Medium <=7.8.6, <=7.9.4, <=7.10.2 2023-06-15 v7.8.7, 7.9.5, 7.10.3

(CWE-284) Fixed an issue where when a new reset token was created, all previous ones were not invalidated. Thanks to SUBHASIS DATTA (claverrat) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00185 Medium <=7.8.6, <=7.9.4, <=7.10.2 2023-06-15 v7.8.7, 7.9.5, 7.10.3

(CWE-400) Fixed an issue where specially crafted markdown input could crash the server. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00176 Medium <=7.8.6, <=7.9.4, <=7.10.2 2023-06-15 v7.8.7, 7.9.5, 7.10.3

(CWE-284) Fixed an issue where links to previously-shared public Boards were still accessible after the “Enable Publicly-Shared Boards” configuration option was disabled. Thanks to Daniel Pallinger for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00147 Medium <=7.8.6, <=7.9.4, <=7.10.2 2023-06-15 v7.8.7, 7.9.5, 7.10.3

(CWE-284) Fixed an issue where a low-privileged authenticated user can link a Board to any private channel they know the ID of, by invoking the /plugins/focalboard/api/v2/boards/ API. Thanks to Ossi Väänänen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00168 Medium <=7.8.6, <=7.9.4, <=7.10.2 2023-06-15 v7.8.7, 7.9.5, 7.10.3

(CWE-400) Fixed an issue where an attacker posting a specially crafted link can cause the channel to crash. Thanks to Ossi Väänänen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00183 Low <=7.1.9, <=7.8.4, 7.10.0 2023-05-17 v7.10.1, 7.8.5

(Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)) Fixed an issue in the GitHub plugin where posting a specially crafted message with a link to contents of a Github private repository would result in the private code being previewed in Mattermost even if the configuration settings allowed preview only for public repositories. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00152 Medium <=7.8.4, <=7.9.3, 7.10.0 2023-05-17 v7.10.1, 7.9.4, 7.8.5

(Denial of Service) Fixed an issue where a low-privileged attacker could send a POST request to the app’s internal /install API endpoint (Apps built using Apps Framework), causing the app to crash and sometimes respond with sensitive information. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00151 Medium <=7.8.4, <=7.9.3, 7.10.0 2023-05-17 v7.10.1, 7.9.4, 7.8.5

(Reducing Attack Surface) Fixed an issue where a low privileged attacker could send a POST request to the App’s webhook path (apps built using Apps Framework) and modify the contents of messages posted by the app. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00171 Medium <=7.1.9, <=7.8.4, <=7.9.3, 7.10.0 2023-05-17 v7.10.1, 7.9.4, 7.8.5

(Denial of Service) Fixed an issue where a specially crafted search query would result in large log entires, so if done repeatedly, it could lead to large log files filling up disk space. Thanks to Filip Omazić / Cybersecurity engineer at the Croatian national CERT for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00177 Medium <=7.1.9, <=7.8.4, <=7.9.3, 7.10.0 2023-05-17 v7.10.1, 7.9.4, 7.8.5

(Uncontrolled Resource Consumption) Fixed an issue where an attacker could send a long enough direct message and cause the server to hang. Thanks to SUBHASIS DATTA (claverrat) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00172 Medium <=7.1.9, 7.8.4, 7.9.3, 7.10.0 2023-05-17 v7.10.1, 7.9.4, 7.8.5

(Improper Authentication) Fixed an issue where an attacker can post messages to a read-only channel using a slash command. Thanks to ramsakal7582 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00164 Medium <=7.1.9 <=7.8.4, <=7.9.3, 7.10.0 2023-05-17 v7.10.1, 7.9.4, 7.8.5

(Information Disclosure) Fixed an issue where Mattermost allows an attacker to access arbitrary posts using the Collapsed Reply Threads APIs. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00163 Medium <=7.1.9, <=7.8.4, <=7.9.3, 7.10.0 2023-05-17 v7.10.1, 7.9.4, 7.8.5

(Authorization) Fixed an issue where a deactivated User could perform operations using the OAuth2 api Thanks to whitehattushu for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00161 Medium <=7.1.9, <=7.8.4, <=7.9.3, 7.10.0 2023-05-17 v7.10.1, 7.9.4, 7.8.5

(Authorization) Fixed an issue where Mattermost allows an attacker to post a specially crafted /groupmsg command to obtain full message contents from a private channel. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00165 Medium <=7.8.2, <=7.9.1, 7.10.0 2023-05-17 v7.10.1, 7.9.2, 7.8.3

(Denial of Service) Fixed an issue where an attacker can post a link to a specially crafted webpage they control and cause a crash while rendering the message preview. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00144 Medium <=7.8.2, <=7.8.1, 7.10.0 2023-05-17 v7.10.1, 7.9.2, 7.8.3

(Authorization) Fixed an issue where lack of permission checks could result in playbooks editing arbitrary posts. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00157 Medium <=7.8.4, <=7.9.3 2023-05-17 v7.10, 7.9.4, 7.8.5

(Authorization) Fixed an issue where the lack of expiration of the OAuth2 code when deauthorizing oauth2 app from account could lead to an attacker being able to generate an access token. Thanks to whitehattushu for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00159 Medium >=v5.34.0 2023-04-27 v7.1.9, 7.8.4, 7.9.3, 7.10.0

(Input Validation) Fixed an issue where an authenticated attacker could bypass the domain denylist for link previews by sharing links with Unicode confusable characters. Thanks to xp for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00162 Medium <=v7.9.1, <=v7.8.2, <=v7.7.3, <=v7.1.7 2023-04-12 v7.9.2, 7.8.3, 7.7.4, 7.1.8

(Authorization) Fixed an issue where a user with permission to edit other users and to create personal access tokens could elevate their privileges to system admin. Thanks to Eva Sarafianou for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00160 Medium <=v7.9.1, <=v7.8.2, <=v7.7.3, <=V7.1.7 2023-04-12 v7.9.2, 7.8.3, 7.7.4, 7.1.8

(Information Disclosure) Fixed an issue where the database credentials were revealed in audit logs during server initialization. Thanks to Stylianos Rigas for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00142 Medium <= 5.2.2 2023-03-30 v5.3.0

(Reducing Attack Surface) Fixed an issue where unvalidated Mattermost server redirection could allow opening arbitrary web pages in the desktop app. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2023-00146 High <=v7.7.2, <=v7.8.1, v7.9.0 2023-03-17 v7.9.1, 7.8.2, 7.7.3

(Information Disclosure) Fixed an issue where user passwords and user hashes were revealed in audit logs if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). Thanks to Jo Astoreca for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00128 Low <v7.9 2023-03-16 v7.9.0

(Information Disclosure) Fixed an issue where detailed information on teams, including name, display name and description were broadcast over websocket connections to all users with an active websocket connection when archiving a team. Thanks to Daniel Espino Garcia for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00141 Medium <=7.8.0, <=7.7.1, <=7.1.5 2023-03-01 v7.8.1, 7.7.2, 7.1.6

(Information Disclosure) Fixed an issue where message contents from private channels could be returned as part of the embed metadata of a crafted post in a different channel. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00139 High <=7.7.1, <=7.1.5 2023-03-01 v7.8.0, 7.7.2, 7.1.6

(XSS) Fixed an issue where an attacker could attach a malicious SVG file to an item on Mattermost Boards and share it using a direct link to the file. Thanks to Veshraj Ghimire for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00138 Medium <=7.7.1, <=7.1.5 2023-03-01 v7.8.0, 7.7.2, 7.1.6

(Information Disclosure) Fixed an issue where Mattermost sent unsanitized user_updated and post_deleted messages over the websocket connection to some clients in a High Availability installation. Thanks to Kyriakos Ziakoulis and Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00137 Medium <=7.7.1, <=7.1.5 2023-03-01 v7.8.0, 7.7.2, 7.1.6

(Authorization) Fixed an issue where a low-privileged authenticated attacker could construct an email team invite to a private channel the attacker is not a member of. Thanks to BhaRat for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00140 Low >=7.4.0, >=7.5.0, >=7.7.0 2023-02-16 v7.8.0

(Input Validation) Fixed an issue where an attacker could create a channel with a specially crafted name to cause a later creation of a group message channel fail in unexpected ways. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00136 Low >=v7.4.0 2022-11-16 v7.5.0

(Information Disclosure) Fixed an issue where a low-privileged authenticated attacker can obtain the full name of a board owner by calling the /plugins/focalboard/api/v2/users API endpoint. Thanks to Foobar7 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Boards
MMSA-2023-00135 Medium <=7.5.1, <=7.4.0, <=7.1.4 2022-12-21 v7.5.2, 7.4.1, 7.1.5

(Information Disclosure) Fixed an issue where a low-privileged authenticated user can access the Playbook Runs API to get a list of playbook runs and to access detailed information of playbook runs. Thanks to Foobar7 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Plugins
MMSA-2023-00134 Medium <=7.5.1, <=7.4.0, <=7.1.4 2022-12-21 v7.5.2, 7.4.1, 7.1.5

(Authorization) Fixed an issue where a low-privileged authenticated attacker can edit a playbook belonging to a team they have no access to using the Playbooks API. Thanks to Foobar7 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Plugins
MMSA-2023-00133 Low >= v5.12.0 2023-01-16 v7.7.0

(Information Disclosure) Fixed an issue where an authenticated user with team admin privileges could view the team owner email address by invoking the “Regenerate invite ID” API endpoint at /api/v4/teams/[teamId]/regenerate_invite_id, which failed to honor the ShowEmailAddress setting. The ShowEmailAddress setting, when set to False, hides email addresses to all members except system administrators. Thanks to foobar7 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00132 Low >= v5.12.0 2023-01-16 v7.7.0

(Information Disclosure) Fixed an issue where an authenticated user with team admin privileges could view the team owner email address by calling the /api/v4/users/me/teams API endpoint as the ShowEmailAddress setting was not honored by said endpoint. The ShowEmailAddress setting, when set to False, hides email addresses to all members except system administrators. Thanks to foobar7 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2023-00131 Low >= v5.32.0 2023-01-16 v7.7.0

(XSS) Fixed a cross-site scripting vulnerability affecting API endpoints handling the completion of the OAuth flow. Thanks to zerodivisi0n to contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00127 Low <= 7.5 2023-01-16 v7.7.0

(Authorization) Fixed a bug that required a cache purge or server restart for permission schemes to be correctly applied. Thanks to Foobar7 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00122 Medium <=7.5.1, <=7.4.0, <=7.1.4 2022-12-21 v7.5.2, 7.4.1, 7.1.5

(Information Disclosure) Fixed an issue where a Guest User could have bypassed the restrictions and viewed restricted member’s information. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00124 Low <= 7.3 2022-10-14 v7.4.0

(Denial of Service) Fixed an issue where an authenticated user could send multiple requests containing a parameter which could fetch a large amount of data and can crash a Mattermost server. Thanks to DummyThatMatters for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00120 Medium <=7.1.3, <=7.2.0, <=7.3.0 2022-10-14 v7.4.0, v7.3.1, v7.2.1, v7.1.4

(Denial of Service) Fixed an issue where an authenticated user could send multiple requests containing a large payload to the “Out of Office” API endpoint and crash the server. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00118 Medium <=7.1.3, <=7.2.0, <=7.3.0 2022-10-14 v7.4.0, v7.3.1, v7.2.1, v7.1.4

(Denial of Service) Fixed an issue where an authenticated user could send multiple requests containing a large payload to the Update Playbooks API endpoint and crash the server. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00115 Low v7.1.0 2022-08-16 v7.2.0

(Denial of Service) Fixed an issue where a specifically crafted GIF file upload could cause resource exhaustion while processing it thereby causing a server-side Denial of Service. Thanks to Philippe Antoine for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00112 Medium <= 6.3.9, 6.4.x, 6.5.x, 6.6.x, 6.7.x, 7.0.x <= 7.0.1, 7.1.x <= 7.1.2 2022-08-23 v7.2.0, 7.1.3, 7.0.2, 6.3.10

(Information Disclosure) Fixed an issue where some sensitive user information were leaked to the remote server, when a shared channel was configured between two servers. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00113 Low <= 7.0 2022-07-16 v7.1.0

(Denial of Service) Fixed an issue where an authenticated user could upload maliciously crafted image attachments and crash the server if it runs on a minimum recommended hardware requirement. Thanks to Philippe Antoine for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00111 Low <= 7.0 2022-07-16 v7.1.0

(Denial of Service) Fixed an issue where users with permissions to perform bulk import were allowed to bypass the existing limitations and upload emojis of large size, resulting in a client side DOS. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00110 Medium <= 6.3.8, 6.4.x, 6.5.x <= 6.5.1, 6.6.x <= 6.6.1, 6.7 2022-06-13 v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9

(Information Disclosure) Fixed an issue where a Guest user could have bypassed the restrictions and fetch a list of all public channels in the team, inspite of not being part of those channels. Thanks to Rohit KC for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00109 Medium <= 6.3.8, 6.4.x, 6.5.x <= 6.5.1, 6.6.x <= 6.6.1, 6.7 2022-06-13 v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9

(Reducing Attack Surface) Fixed an issue with the default config generation for trusted IP header, which could allow attackers to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers. Thanks to Adam Pritchard for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00108 Medium <= 6.3.8, 6.4.x, 6.5.x <= 6.5.1, 6.6.x <= 6.6.1, 6.7 2022-06-13 v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9

(Information Disclosure) Fixed an issue where team members could gain access to some sensitive information of other users via an API call. Thanks to Elias for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00102 Medium <= 6.3.8, 6.4.x, 6.5.x <= 6.5.1, 6.6.x <= 6.6.1, 6.7 2022-06-13 v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9

(Denial of Service) Fixed an issue where a maliciously crafted file can bypass the existing size limits during Slack import and could crash the server. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00103 Low <= 5.0 2022-05-16 v5.1.0

(Misconfiguration) Fixed an issue where the file modes set in the Linux *.tar.gz installation package were too permissive. Thanks to Ernst Kloppenburg for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2022-0098 Low < 6.7 2022-05-16 v6.7.0

(Reducing Attack Surface) Fixed an issue where users with Plugin Management permissions were allowed to bypass the restriction and upload any custom plugins, even when the upload plugin config was disabled in the server’s config.json file. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-0089 Low <= 6.4 2022-05-16 v6.7.0

(Denial of Service) Fixed an issue where an authenticated API could have caused resource exhaustion under specific circumstances, resulting in server-side Denial of Service. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00104 Medium 5.x, 6.x <= 6.3.7, 6.4.x <= 6.4.2, 6.5.0, 6.6.0 2022-04-28 v6.6.1, 6.5.1, 6.4.3, 6.3.8

(Denial of Service) Fixed an issue where a maliciously crafted SVG attachment could crash the server. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-00101 Low <= 6.5 2022-04-16 v6.6.0

(Denial of Service) Fixed an issue where an unauthenticated attacker was allowed to send malicious request which could crash the server if the console log level were set to DEBUG. Thanks to TheSecurityDev for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-0095 Medium <= 6.4 2022-03-16 v6.5.0

(Reducing Attack Surface) Fixed an issue where users with permissions to install plugins were allowed to install old versions of plugins from the Marketplace, resulting in being able to exploit any disclosed vulnerabilities. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-0092 Low <= 6.4 2022-03-16 v6.5.0

(Reducing Attack Surface) Fixed an issue where the invitation email was resent as a reminder even after a system administrator invalidated all the pending email invitations leading to reactivation of invalidated tokens. Thanks to mr_anon for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-0094 Medium <= 6.4 2022-03-10 v6.4.2, 6.3.5, 6.2.5, 5.37.9

(Information Disclosure) Fixed an issue where a user with a restricted custom admin role could have bypassed the restrictions and viewed the server logs and server config.json file contents. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-0090 Medium <= 6.4 2022-02-16 v6.4.0

(Injection) Fixed an issue where registered users with permissions to invite guest users were allowed to inject unescaped HTML content in the email invites. Thanks to Imamul Mursalin for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-0084 Low <= 6.3 2022-02-16 v6.4.0

(Reducing Attack Surface) Fixed an issue where a System Admin was allowed to override certain configurations which were restricted from the System Console. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-0087 Medium <=6.3.2 2022-02-03 v6.3.3, 6.2.3, 6.1.3, 5.37.8

(Denial of Service) Fixed an issue where a maliciously crafted SAML response could crash the server. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-0086 Medium 5.x >= 5.35, 6.x 2022-02-03 v6.3.3, 6.2.3, 6.1.3, 5.37.8

(Denial of Service) Fixed an issue where a maliciously crafted attachment could crash the server. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2022-0082 Medium <=6.3.0 2022-01-21 v6.3.1, 6.2.2, 6.1.2, 5.37.7

(Information Disclosure) Fixed an issue where the team creator’s email address was disclosed to team members via an API call.

Mattermost Server
MMSA-2021-0081 Medium <=6.2 2021-12-17 v6.2.1, 6.1.1, 6.0.4, 5.39.3, 5.37.6

(Denial of Service) Fixed an issue where a specifically crafted file upload could cause resource exhaustion while processing it, resulting in server-side Denial of Service. Thanks to Ada for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0080 Medium <=v0.10.0 2021-12-17 v0.11.0, v0.10.1, v0.9.5, v0.8.4, v0.7.5

(Information Disclosure) Fixed an issue where emails of all users were exposed via one of the Boards APIs. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Boards
MMSA-2021-0077 Medium <=v0.10.0 2021-12-17 v0.11.0, v0.10.1, v0.9.5, v0.8.4, v0.7.5

(Authentication) Fixed an issue where the session was not invalidated on the server side when a user logged out of Boards. Thanks to Hagai Wechsler from WhiteSource for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Boards
MMSA-2021-0076 Low <6.2 2021-12-16 v6.2.0

(Information Disclosure) Fixed an issue where the contents of an archived channel could be read even when not allowed by configuration.

Mattermost Server
MMSA-2021-0075 Low <=6.0 2021-11-16 v6.1.0

(Input Validation) Fixed an issue where a specially crafted message could cause a client-side crash of the web application. Thanks to TheSecurityDev for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0074 Low <= 6.0 2021-11-16 v6.1.0

(Reducing Attack Surface) Fixed an issue where the email address in the invitation token was not properly validated during registration under specific conditions. Thanks to AT1ZT0 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0073 Low <= 6.0 2021-11-16 v6.1.0

(Misconfiguration) Changed the default permissions of the config.json file. Thanks to Matt Moses for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0072 Medium 6.0 2021-11-15 v6.0.3, 5.39.2, 5.38.4, 5.37.4

(Information Disclosure) Fixed an issue where some sensitive information was not properly sanitized before writing to the audit logs. Thanks to Paul Harrison for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0071 Medium 5.x >= 5.36, 6.0 2021-10-27 v6.0.1, v5.39.1, v5.38.3, v5.37.3

(Information Disclosure) Fixed an issue where Boards, when enabled, logged sensitive information at startup. Boards is enabled by default from Mattermost version 6.0 onwards.

Mattermost Server
MMSA-2021-0049 Low < 5.0 2021-10-13 v5.0.0

(Misconfiguration) Implemented additional Electron runtime hardening. Thanks to Csaba Fitzl for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2021-0069 Low <= 5.38 2021-09-16 v5.39.0

(Reducing Attack Surface) Fixed an issue where data was not properly sanitised when copied and pasted on Mattermost. Thanks to intrigus for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0062 Low <= 5.37 2021-08-16 v5.38.0

(Reducing Attack Surface) Fixed an issue where an old email confirmation token was not properly invalidated under specific conditions. Thanks to akash-hamal for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0061 Low <= 5.37 2021-08-16 v5.38.0

(Input Validation) Fixed an issue where email addresses were not properly sanitized during registration. Thanks to sekharlee for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0064 Medium All 2021-08-04 v5.35.5, v5.36.2, v5.37.1, and v5.38.0

(Authorization) Fixed an issue where an authenticated user was able to access the contents of arbitrary posts under specific conditions. Thanks to Adrian (thiefmaster) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0063 Medium <= 4.7 2021-08-03 v4.7.1

(Reducing Attack Surface) Enabled global sandboxing to increase security in the Desktop App. Thanks to p3rr0 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2021-0059 Low <= 4.6 2021-06-23 v4.7.0

(Input Validation) Fixed an issue where a specially crafted link bypassed security checks and allowed opening arbitrary web pages within the desktop app. Thanks to Elnerd for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2021-0058 Medium <= 4.6 2021-06-23 v4.7.0

(Remote Code Execution) Changed the default choice for security dialogs to prevent unintentional approval of dangerous actions. Thanks to RyotaK for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2021-0057 Medium <= 4.6 2021-06-23 v4.7.0

(Remote Code Execution) Upgraded Electron to prevent latest vulnerabilities. Thanks to Aaditya Purani for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2021-0055,
CVE-2021-37859
High v5.32 to v5.36 2021-06-21 v5.34.5, v5.35.4, v5.36.1, and v5.37.0

(XSS) Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost. Thanks to Andrea zi0Black Cappa of Shielder for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0056 Low <= v1.43 2021-06-16 v1.44.0

(Phishing) Fixed an issue on Android where a malicious app could masquerade as part of the Mattermost app. Thanks to Sheikh Rishad for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2021-0054 High v1.6.0 to v1.40.0 2021-06-16 v1.44.0

(Injection) Fixed an issue on Android where a malicious app installed on the device could write arbitrary files in Mattermost directories. Thanks to edu for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2021-0055,
CVE-2021-37859
High v5.32 to v5.35 2021-06-11 v5.33.5, v5.34.4, v5.35.3, and v5.36.0

(XSS) Fixed a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost. Thanks to Andrea zi0Black Cappa of Shielder for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0052 Low <=5.34 2021-05-16 v5.35.0

(Authorization) Fixed a bug that required a cache purge or server restart for channel moderation changes to be correctly applied. Thanks to Pawan Lal for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0051 Medium <=5.34 2021-05-16 v5.35.0

(Authorization) Improved the password generation logic used during the bulk user import process. Thanks to redacted for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0050 Low v5.30 to v5.34 2021-05-16 v5.35.0

(Authorization) Fixed an issue where a specific read-only admin permission could allow the creation of new S3 buckets. Thanks to Martin Kraft for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0048 High mattermost-plugin-autolink <= 1.2.1, mattermost-plugin-github <=2.0.0 2021-04-17 mattermost-plugin-autolink 1.2.2, mattermost-plugin-github 2.0.1

(Authorization) Fixed an issue where crafted HTTP requests could bypass specific plugin access controls. Thanks to Erlend Leiknes from mnemonic as for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Plugins
MMSA-2021-0046 Low <v5.33 2021-03-16 v5.33.0

(Authorization) Fixed an issue where demoting a user to a guest would not take immediate effect in an environment with read replicas. Thanks to Dibyajyoti Dutta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0045 Low <v5.33 2021-03-16 v5.33.0

(Reducing Attack Surface) Fixed an issue where specific potentially sensitive HTTP responses could end up being cached by proxy servers. Thanks to Paal Braathen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0044 Low <v5.33 2021-03-16 v5.33.0

(Reducing Attack Surface) Removed an undocumented feature which allowed system admins to set a new password without asking for the old password. Thanks to Pabloß for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0043 Low <v5.33 2021-03-16 v5.33.0

(Input Validation) Fixed an issue where maliciously crafted text in a post could lead to limited client-side Denial of Service. Thanks to Douglas Banyai for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2021-0042 High v1.6.0 to v1.40.0 2021-03-16 v1.41.0

(Injection) Fixed an issue on Android where a malicious app installed on the device could write arbitrary files in Mattermost directories. Thanks to Sunny Kumar for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2021-0041 Low v1.39.0 and earlier 2021-02-25 v1.40.0

(Misconfiguration) Fixed an issue where API requests could be unintentionally cached locally on iOS.

Mattermost Mobile Apps
MMSA-2021-0047 Low All 2021-02-16 v5.32.0

(Input Validation) Fixed an issue where a user coming to Mattermost through OAuth could be maliciously redirected to an external website. Thanks to sbruckmann for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0038 Low All 2021-02-16 v5.32.0

(Authorization) Fixed an issue where a user with a specific custom admin role could remove permissions from a system admin. Thanks to Martin Kraft for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0039 Low All 2021-01-16 v5.31.0

(Input Validation) Improved input validation in image proxy component for URLs. Thanks to Dibyajyoti Dutta (djxploit) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0040 Low All 2020-12-16 v5.30.0

(Authorization) Fixed an issue where high-availability configurations of Mattermost partially failed to enforce permission level changes during an active session. Thanks to Leandro Chaves (brdoors3) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0030 Critical v5.20.x to v5.29.0, excluding v5.28.2, 5.27.2, and 5.25.7 2020-12-03 v5.29.1, 5.28.2, 5.27.2, 5.25.7

(Authorization) Disabled the xmlsec1-based SAML library in favor of the re-enabled and improved SAML library. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0028 Low All 2020-09-16 v5.27.0

(Denial of Service) Fixed an issue where specifically crafted file uploads could consume large amounts of memory. Thanks to Claudio Costa for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0030 High v5.20.x to v5.26.x, excluding v5.25.5 and v5.26.2 2020-09-03 v5.25.5, 5.26.2

(Authorization) Forcefully disabled the experimental SAML implementation. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0025 Low All 2020-07-16 v1.33.0

(Denial of Service) Fixed an issue where specifically crafted Markdown could crash the Android version of the application. Thanks to Jorge Ferreira and Patrick Sukop from Blaze Information Security for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2020-0024 Low All 2020-07-16 v5.25.0

(Authorization) Fixed an issue where plugins could fail to enforce team-level permissions under specific circumstances. Thanks to Christopher Speller for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0027 High All 2020-07-13 v4.5.1

(Third Party Library Vulnerability) Fixed Electron security issues CVE-2020-15096, CVE-2020-4077, CVE-2020-4075, and CVE-2020-4076.

Mattermost Desktop App
MMSA-2020-0023 Low All 2020-06-16 v5.24.0

(Denial of Service) Fixed an issue where a large crafted Markdown message could have caused high resource consumption in the client. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0019 Low All 2020-06-16 v5.24.0

(Information Disclosure) Fixed an issue where authenticated users could gain access to private teams for a limited time in some configurations. Thanks to Jonathan (0xghostwriter) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0022 High v1.31.0 2020-05-27 v1.31.2

(Information Disclosure) Fixed an issue where 1.31.0 Build 293 of the iOS app could leak authorization tokens to 3rd-party servers under specific configurations. A newer unaffected build was already available prior to discovering this issue. Thanks to Jorge Ferreira, Wilberto Filho and Julio Fort from Blaze Information Security for notifying Mattermost under the responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2020-0021 Low v5.22.0, v5.19.2 2020-05-16 v5.23.0

(Denial of Service) Fixed an issue where large webhook requests could send the server into an infinite loop.

Mattermost Server
MMSA-2020-0020 Low All 2020-05-16 v5.23.0

(Denial of Service) Fixed an issue where automatic direct message replies could cause an infinite loop leading to Denial of Service. Thanks to Doug Lauder for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0018 High v1.29.0 2020-04-16 v1.30.0

(Information Disclosure) Fixed an issue where authorization tokens could be leaked to 3rd-party servers under specific configurations. Thanks to Mikael Berthe for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2020-0017 Low All 2020-04-16 v5.22.0

(Denial of Service) Fixed an issue with a potential client-side Denial of Service vulnerability in the markdown renderer. Thanks to James Hall from MDSec Labs for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0013 Low All 2020-03-16 v1.29.0

(Information Disclosure) Fixed an issue where the iOS app did not clear SSO cookies and local storage on logout. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2020-0014 Low All 2020-03-16 v5.21.0

(Injection) Fixed an issue with an HTTP path traversal in mmctl. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0005 Low All 2020-03-16 v5.21.0

(Denial of Service) Fixed an issue where unbounded reads from socket could lead to Denial of Service. Thanks to Lev Brouk for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0008 Low All 2020-02-16 v4.4.0

(Reducing Attack Surface) Fixed an issue where unvalidated Mattermost server redirection could allow opening arbitrary web pages in the desktop app. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2020-0007 Low All 2020-02-16 v4.4.0

(Phishing) Fixed an issue where HTTP Basic authentication prompts could be used for phishing. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2020-0006 Medium All 2020-02-16 v4.4.0

(Authorization) Fixed an issue where 3rd-party origins could be granted access to restricted web APIs. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2020-0012 Low All 2020-02-16 v5.20.0

(Authorization) Fixed an issue where the ‘update_team’ WebSocket event could broadcast team details to non-members. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0004 Low All 2020-01-16 v5.19.0

(Information Disclosure) Fixed an issue where the existence of private channels was exposed by get channel by name API. Thanks to Harison Healey for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0002 Low All 2020-01-16 v5.19.0 (Input validation) Fixed an issue where channels could be renamed to collide with direct messages. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
MMSA-2020-0001 High All 2020-01-16 v5.19.0 (Authorization) Fixed an issue where non-admin users could create trusted OAuth apps. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
MMSA-2020-0001 High All 2020-01-08 v5.18.1, 5.17.3, 5.16.5, 5.9.8 (Authorization) Fixed an issue where non-admin users could create trusted OAuth apps. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.17.2.4 High na 2019-12-18 v5.17.2, 5.16.4, 5.15.4, 5.9.7 (Cross-Site Request Forgery) Fixed an issue where a malicious website could take over user accounts via CSRF in specific server configurations. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.17.2.3 High na 2019-12-18 v5.17.2, 5.16.4, 5.15.4, 5.9.7 (SQL Injection) Fixed an issue where server administrators could inject arbitrary SQL SELECT queries to the database through the SearchAllChannels functionality. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.17.2.2 High na 2019-12-18 v5.17.2, 5.16.4, 5.15.4, 5.9.7 (Improper Access Control) Fixed an issue with configuration files being assigned unnecessarily permissive modes, potentially enabling privilege escalation. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.17.2.1 High na 2019-12-18 v5.17.2, 5.16.4, 5.15.4, 5.9.7 (Improper Access Control) Fixed an issue where changing a channel’s type allowed logged-in users to spoof a direct message channel between two users in specific conditions. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.7 na na 2019-12-16 v5.18.0 (Denial of Service) Fixed an issue where a large Slack import could cause the server to run out of memory, leading to Denial of Service. Thanks to Abhisek Datta (abhisek) for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.6 Low na 2019-12-16 v5.18.0 (Improper Access Control) Fixed an issue where server-local file storage was assigning unnecessarily permissive modes to files and directories. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.5 Low na 2019-12-16 v5.18.0 (Improper Access Control) Fixed an issue where users could send ‘user_typing’ WebSocket events to arbitrary channels. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.4 High na 2019-12-16 v5.18.0 (Cross-Site Request Forgery) Fixed an issue where a malicious website could take over user accounts via CSRF in specific server configurations. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.3 High na 2019-12-16 v5.18.0 (SQL Injection) Fixed an issue where server administrators could inject arbitrary SQL SELECT queries to the database through the SearchAllChannels functionality. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.2 High na 2019-12-16 v5.18.0 (Improper Access Control) Fixed an issue with configuration files being assigned unnecessarily permissive modes, potentially enabling privilege escalation. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.1 High na 2019-12-16 v5.18.0 (Improper Access Control) Fixed an issue where changing a channel’s type allowed logged-in users to spoof a direct message channel between two users in specific conditions. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
1.26.0.5 Low na 2019-12-16 v1.26.0 (Input Validation) Fixed an issue where specifically crafted replies via the quick reply functionality could cause unexpected behavior. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps
1.26.0.4 Medium na 2019-12-16 v1.26.0 (Information Disclosure) Fixed an issue where cookie data was not cleared from the device on logout. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps
1.26.0.3 Low na 2019-12-16 v1.26.0 (Information Disclosure) Fixed an issue where web view caches were not cleared from the device on logout. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps
1.26.0.2 Medium na 2019-12-16 v1.26.0 (Path Traversal) Fixed an issue where video preview functionality could be used to overwrite arbitrary files on the device. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps
1.26.0.1 Low na 2019-12-16 v1.26.0 (Information Disclosure) Fixed an issue where sensitive data such as server addresses and message contents could end up in local device logs. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps
na na na 2019-11-19 v5.16.3 (Reducing Attack Surface) Fixed an issue where a Droplet could expose a vulnerable service to the internet, potentially leading to a remote code execution attack on the server. Mattermost Packages
5.17.0.1 Medium na 2019-11-16 v5.17.0 (Denial of Service) Fixed an issue where a specifically crafted latex message could cause a client-side crash of the web application. Mattermost Server
5.16.1.1 High na 2019-10-24 v5.16.1, 5.15.2, 5.14.5, 5.9.6 (Information Disclosure) Fixed an issue where a legacy attachment migration could lead to leakage of other local files on upgraded and not upgraded legacy systems. Thanks to Roman Shchekin for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.3.0.1 Medium na 2019-10-17 v4.3.0 (Code Injection) Fixed an issue with Mattermost macOS client dylib injection vulnerability. Thanks to Csaba Fitzl for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App
5.16.0.1 na na 2019-10-16 v5.16.0 (Denial of Service) Fixed an issue where posts with several thousand backsticks hung markdown renderer. Mattermost Server
5.15.0.2 na na 2019-09-16 v5.15.0 (Denial of Service) Fixed an issue where some APIv4 endpoints were not handling special characters of SQL like-statement which could lead to ReDoS (high CPU usage in database server). Thanks to Roman Shchekin for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.15.0.1 na na 2019-09-16 v5.15.0 (Improper Access Control) Fixed an issue where Access control restriction could be bypassed via a specially crafted input during login. Thanks to Roman Shchekin for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.13.3.1 na na 2019-08-22 v5.13.3, 5.12.6, 5.9.4 (Denial of Service) Fixed an issue where a specifically constructed SVG could be uploaded which would cause the web and desktop apps to freeze when viewing that channel. Thanks to severus for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.14.0.1 Medium na 2019-08-16 v5.14.0 (Denial of Service) Fixed an issue where a specifically constructed SVG could be uploaded which would cause the web and desktop apps to freeze when viewing that channel. Thanks to severus for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.2.1 High na 2019-08-07 v4.2.2 (Remote Code Execution) Mitigated a remote code execution vulnerability where a specifically crafted link could invoke code in specific circumstances. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App
5.13.0.2 Low na 2019-07-16 v5.13.0 (Authorization) Enforced team membership when fetching slash commands that are enabled for a team. Thanks to Ashish Padelkar for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.13.0.1 Low na 2019-07-16 v5.13.0 (Authorization) Added more explicit checks for incoming webhook creation. Thanks to Aryan Rupala for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.13.0.3 na na 2019-07-16 v5.13.0 (Authorization) Fixed an issue with GitHub plugin where user was able to attach their Mattermost account to a victim’s GitHub account. Thanks to Christopher Speller for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Plugins
5.11.1.1 na na 2019-06-21 v5.11.1, 5.10.2, 5.9.2, 4.10.10 (CSRF) Added protection against CSRF attacks on the login page. Thanks to Zonduu for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.12.0.2 Medium na 2019-06-16 v5.12.0 (CSRF) Added protection against CSRF attacks on the login page. Thanks to Zonduu for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.12.0.1 Low na 2019-06-16 v5.12.0 (Input Validation) Added a configuration flag to explicitly enable Source IP overwrites using proxy overwrite headers. Thanks to prefix for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.11.0.2 Low na 2019-05-16 v5.11.0 (Denial of Service) Fixed an issue where a specific post could prevent loading all posts in that channel. Thanks to vincentbab for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.11.0.1 na na 2019-05-16 v5.11.0 (Input Validation) Moved generation of invite ids to a more secure function. Thanks to Bruno Bierbaumer for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.1.1 na na 2019-04-24 v5.9.1, 5.8.2, 4.10.9 (Authorization) Fixed an issue where Update/Patch Channel endpoint could accept changes from non-members for private channels. Thanks to Leandro Chaves for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.10.0.2 High na 2019-04-16 v5.10.0 (Authorization) Fixed an issue where Update/Patch Channel endpoint could accept changes from non-members for private channels. Thanks to Leandro Chaves for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.10.0.1 Medium na 2019-04-16 v5.10.0 (Input Validation) Fixed an issue where a user could modify the file IDs of a POST without showing the edited flag. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.8 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Denial of Service) A case of catastrophic backtracking within the Markdown library. Thanks to esosnov for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.7 Medium na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Reducing Attack Surface) Added additional protection against SSRF attacks to services running on the Mattermost server itself. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.6 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Information Disclosure) An information disclosure related to user activation/deactivation, where session information of the admin could be leaked to the system user. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.5 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Information Disclosure) An information disclosure related to role changes, where session information of the admin could be leaked to the system user. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.4 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Reducing Attack Surface) Invalidated tokens for password resets when a eMail change is being executed. Thanks to mga_bobo for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.3 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Denial of Service) A user was able to deactivate himself when the option was disabled. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.2 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Authorization) Enhanced the authentication flow to avoid disclosing whether a user had two-factor authentication enabled or not. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.1 na na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Phishing) Enhanced eMail verification when change is attempted from within the application. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.6 na na 2019-02-16 v5.8.0, 5.7.2, 5.6.5, 4.10.7 (Reducing Attack Surface) User was allowed to modify Email address without re-entering their credentials. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.4 na na 2019-02-16 v5.8.0, 5.7.2, 5.6.5, 4.10.7 (Denial of Service) Added mitigation to the possibility of high memory usage through external requests caused by OpenGraph data. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.8 Low na 2019-02-16 v5.8.0 (Input Validation) Applied login attempt to MFA to prevent brute forcing. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.7 na na 2019-02-16 v5.8.0 (Authorization) Anyone could join an open team even when a domain was specified. Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.5 na na 2019-02-16 v5.8.0 (Authorization) Users could pin/unpin posts when the experimental “read only Town Square” configuration setting was enabled. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.3 na na 2019-02-16 v5.8.0 (Reducing Attack Surface) Removed the ability for a single file to become partly attached to multiple posts. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.2 na na 2019-02-16 v5.8.0 (Information Disclosure) Added automatic robots.txt file to prevent search engines crawling Mattermost by default. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.1 na na 2019-02-16 v5.8.0 (Reducing Attack Surface) Improved the creation flow for the first user to make it harder to accidentally make a user system admin. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.7.1.1 na na 2019-02-01 v5.7.1, 5.6.4, 5.5.3 and 4.10.6 (Information Disclosure) A registered user was allowed to receive posts within the team without the required permissions through the flags API. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.7.0.3 na na 2019-01-16 v5.7, 5.6.3, 5.5.2, 4.10.5 (Denial of Service) A malicious outgoing webhook or slash command integration could cause the server to run out of memory. Thanks to Boyd Ansems of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.7.0.1 na na 2019-01-16 v5.7, 5.6.3, 5.5.2, 4.10.5 (Authorization) The permissions required for a user to create a user access token were unclear so they could be configured incorrectly when setting up Mattermost. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.7.0.2 na na 2019-01-16 v5.7 (Information Disclosure) A user who could not view other users’ email addresses could confirm a user has a known email address. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.4.0.1 na na 2018-10-16 v5.4.0 (Authorization) The client could hold and send unnecessary authentication credentials. Thanks to Christopher Speller for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.3.0.2 na na 2018-09-16 v5.3.0 (Reducing Attack Surface) Fixed a potential timing attack. Thanks to Ben Burke for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.3.0.1 na na 2018-09-16 v5.3.0 Alpine Linux was updated to fix a vulnerability reported responsibly to the Alpine Linux project by Max Justicz. Mattermost Server
5.2.0.3 na na 2018-09-16 v5.2.2, 5.1.2, 4.10.4 (Denial of Service) A specially-crafted image with large dimensions and a small file size could be uploaded as an emoji, causing the server to use excess amounts of memory and possibly crash. Thanks to Soroush Dalili from NCC Group for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.2.0.2 na na 2018-08-16 v5.2, 5.1.1 (Authorization) “updateChannel“ endpoint would not check if the channel ID is the same in params and body. Thanks to Đặng Minh Trí for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.2.0.1 na na 2018-08-16 v5.2, 5.1.1, 5.0.3, 4.10.3 (Authorization) Users would be able to bypass email signup domain restriction by listing multiple emails. Thanks to Đặng Minh Trí for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.1.1.5 na na 2018-07-16 v5.1, 5.0.2, 4.10.2 (Authorization) “invite_people“ slash command would allow any logged in user to invite users to the team/server without checking the relevant permissions. Thanks to Daniel Schalla for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.1.1.6 na na 2018-07-16 v5.1 (Authorization) Message slash command would allow user to create direct message channels without the requisite permission being granted. Thanks to Daniel Schalla for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.1.1.4 na na 2018-07-16 v5.1 (Authorization) Channel PATCH API would allow modification of Direct and Group message channels by users who were not a member of those channels. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.1.1.3 na na 2018-07-16 v5.1 (Authorization) Group message slash command would allow user to create group message channels without the requisite permission being granted. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.1.1.2 na na 2018-07-16 v5.1 (Authorization) Channel header slash command API could be exploited to set the header of Direct Message and Group Message channels as a user who does not have access to those channels. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.1.1.1 na na 2018-07-16 v5.1 (Denial of Service) “/invite_people“ slash command could be used to cause a DOS attack. Thanks to Daniel Schalla for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.10.1.1 na na 2018-06-04 v4.10.1, 4.9.4, 4.8.2 (Denial of Service) Viewing a channel containing a malformed link could cause the app to freeze. Thanks to Eric Sethna for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.8.1.2 na na 2018-04-09 v4.8.1, 4.7.4, 4.6.3 (Information Disclosure) A System Admin editing a user would unintentionally send a Websocket event with the user’s email address and other personal information ignoring the privacy settings. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.8.1.1 na na 2018-04-09 v4.8.1, 4.7.4, 4.6.3 (Authorization) The team invite_id was disclosed through email invites, allowing a user to invite themselves repeatedly to a team and invite others. Thanks to Jesús Espino for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.1.1 na na 2018-03-28 v4.0.1 (Reducing Attack Surface) Node.js was allowed to be re-enabled in some Electron applications that disable it. This vulnerability was found and reported responsibly to the Electron project by Brendan Scarvell of Trustwave SpiderLabs. Mattermost Desktop App
4.7.3.1 na na 2018-03-09 v4.7.3 (Denial of Service) Viewing a post containing invalid Latex code would cause an error that crashed the app. Thanks to Jan Wissmann for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.7.0.1 na na 2018-02-23 v4.7.0, 4.6.2, 4.5.2 (Authorization) SAML responses could be used beyond their expiration dates and maliciously crafted SAML responses could allow users to authenticate as any other user. Thanks to Brad Berkemier for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.1 na na 2018-01-30 v4.0.0 (Reducing Attack Surface) Use setPermissionRequestHandler to request permissions for various actions such as video/audio usage and notifications from untrusted origins. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App
4.5.0.2 na na 2017-12-16 v4.5.0, 4.4.5, 4.3.4 (Authorization) When configured to allow non-admins to create webhooks (“EnableOnlyAdminIntegrations” set to false), users were able to forge requests that allow them to edit other users’ webhooks. Thanks to Linda Mitchell for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.5.0.1 na na 2017-12-16 v4.5.0, 4.4.5, 4.3.4, 4.2.2 (Denial of Service) Viewing a post containing @ followed by certain built-in JavaScript field names would cause an error that crashes the app. Thanks to Tobias Gruetzmacher for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.4.0.1 na na 2017-12-05 v4.4.3, 4.3.3 (Authorization) When using Mattermost as an OAuth 2.0 service provider and allowing non-admin users to manage integrations (“EnableOnlyAdminIntegrations” set to false), an attacker with a user account could forge a request allowing the updating of an OAuth app’s name, description, icon, homepage and callback URLs. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.3.0.1 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Denial of Service) Fixed an issue where improperly formatted posts could cause the channel to not appear. Mattermost Server
4.3.0.2 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Input Validation) Fixed an issue allowing users with System Admin permissions upwards path traversal, arbitrary file creation and boolean file checking on systems using local storage for files. Systems using other file storage methods allowed only arbitrary file creation and boolean file checking. Mattermost Server
4.3.0.3 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Cross-site Scripting) Fixed an issue where script could be injected into the allow/deny OAuth 2.0 page. Mattermost Server
4.3.0.4 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Authentication) Fixed a vulnerability where any logged in user could revoke another user’s session if they had somehow obtained the session ID. Mattermost Server
4.3.0.5 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Cross-site Scripting) Prevented author_link and title_link fields in Slack attachments from containing JavaScript links. Mattermost Server
4.3.0.6 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Cross-site Scripting) Prevented JavaScript injection using the goto_location response to a slash command. Mattermost Server
4.3.0.7 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Cross-site Scripting) Prevented JavaScript injection using OpenGraph data received from a malicious web page. Mattermost Server
4.3.0.8 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Authorization) Prevented code prediction and possible access to user accounts due to weak entropy in authorization code generation when using Mattermost as an OAuth 2.0 Service Provider. Mattermost Server
4.3.0.9 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Authorization) Prevented registered OAuth applications from being able to privilege escalate with personal access tokens or by accessing other API endpoints on behalf of the user. Mattermost Server
4.3.10 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Input Validation) Prevented users from executing slash commands against a channel that belongs to a team in which they don’t have permission to use slash commands. Mattermost Server
4.3.11 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Information Disclosure) Fixed the team creators email being returned to team members with the team object Mattermost Server
4.3.12 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Reducing Attack Surface) Prevented potential SQL injection by parameterizing the SQL query used for fetching multiple posts from the database. Mattermost Server
4.3.13 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Input Validation) Fixed a vulnerability where users could create fake system message posts via webhooks and slash commands through the v3 and v4 REST API Mattermost Server
4.3.14 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Input Validation) Fixed a vulnerability where action buttons could be crafted to execute certain API requests on behalf of the user that clicks them. Mattermost Server
4.2.0.1 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Phishing) Removed the ability for error pages to display custom links. Thanks to Andrey Dyatlov for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.2 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Reducing Attack Surface) Fixed an issue where certain fields in email templates could contain unescaped HTML. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.3 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Preventing Cross-Site Scripting) Fixed an issue where channel display names containing unescaped HTML would be rendered in posts. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.4 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Preventing Unauthorized Access) When using Mattermost as an OAuth 2.0 service provider and allowing non-admins to create integrations, users could register OAuth 2.0 applications as trusted and bypass the resource owner authorization step. As a result, the application could gain access to a logged-in Mattermost user who clicks on a link to that application. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.5 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Preventing Unauthorized Access) REST API version 4 endpoints for getting user statuses did not require active sessions. Information about user statuses could then be revealed to unauthenticated users. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.6 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Preventing Unauthorized Access) REST API version 3 logging endpoint could allow unauthenticated users to post DEBUG statements to the server logs. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.7 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Reducing Attack Surface) When using Mattermost as an OAuth 2.0 service provider, a user clicking deny could still be redirected to the provided redirect_uri. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.8 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Denial of Service) Fixed an issue where certain posts could cause the browser to freeze. Thanks to Johannes Kastenfrosch for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.9 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Reducing Attack Surface) Increased robustness of per-IP-address rate-limiting. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.7.1.1 na na 2017-08-30 v3.7.1 (Reducing Attack Surface) Revoked trust for certificates issued by the StartCom/WoSign Certificate Authorities (CA). Thanks to Aaron Siegel from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App
4.1.0.1 na na 2017-08-16 v4.1.0, 4.0.4 and 3.10.3 (Injection) Fixed a scenario where exporting a compliance report to CSV could allow formulas to run inside other applications, such as Microsoft Excel. Thanks to David Dworken for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.1.0.2 na na 2017-08-16 v4.1.0, 4.0.4 and 3.10.3 (Unauthenticated API Access) Fixed a scenario where team JSON, including team invite IDs, could be retrieved from the server without logging in and using only the team name. Thanks to Đỗ Minh Tuấn and Thanh Nguyen Van Tien for contributing to this improvement under the Mattermost responsible disclosure policy.an Mattermost Server
4.1.0.3 na na 2017-08-16 v4.1.0, 4.0.4 and 3.10.3 (API Data Leak) Fixed a scenario where team invite IDs could be leaked to logged in users through some team API endpoints. Thanks to Đỗ Minh Tuấn and Thanh Nguyen Van Tien for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.1 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Cross-site Request Forgery) Fixed a scenario where servers with CORS enabled could allow CSRF (cross-site request forgery) from unintended origins. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.2 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Cross-site Scripting) Updated server to ensure that uploaded non-image files are always downloaded instead of displayed on a browser. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.3 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Failure to Invalidate Sessions) When using Mattermost as an OAuth 2.0 service provider, deleting a registered OAuth application would not revoke existing sessions in use by that application. New sessions for that application would not be created. Old sessions will still expire after the regular period. Thanks to Lindsay Brock for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.4 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (SSO Vulnerability) A user with an account on an SSO OAuth2 provider (e.g. GitLab) could forge a request to claim an existing Mattermost account. Only affects Mattermost servers with GitLab single sign-on or Mattermost Enterprise Edition servers with Office365 or G Suite single sign-on enabled. The attack is not stealthy, victim would be notified of the account change by email and would not be able to log in to their account. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.5 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Cross-site Scripting) Prevented channel header from rendering raw html for users that have post formatting disabled. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.6 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Reducing Attack Surface) Updated server to ensure that the password reset email is always sent to the user’s email from the database, not the email entered into the password reset form, to avoid risk of database collation. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.9.0.1 na na 2017-05-16 v3.9.0 (Reducing Attack Surface) Updated server to enforce encryption and signature verification by default when SAML is enabled. Mattermost Server
3.8.0.1 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Message Spoofing) Fixed a vulnerability where a user can cause email notifications to include arbitrary links. Thanks to Martijn Korse, Jelle Kroon, Ömer Coskun and Bernardo Maia Rodrigues of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.0.2 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Reducing Attack Surface) Updated server to prevent skipping the certificate verification when connecting to an email server over TLS. Thanks to Martijn Korse, Jelle Kroon, Ömer Coskun and Bernardo Maia Rodrigues of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.0.3 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Remote Code Execution) Updated server to allow only the path for the Mattermost log file instead of the full path and file name. Thanks to Martijn Korse, Jelle Kroon, Ömer Coskun and Bernardo Maia Rodrigues of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.0.4 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Cross-Site Scripting) Updated client to prevent links on error pages from executing javascript when opening in a new tab. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.0.5 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Message Spoofing) Updated client to prevent displaying non-whitelisted external links on error pages. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.0.6 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Unauthorized Access to API Endpoint) Updated server to enforce policy permission role restrictions after a server restart. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.0.7 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Unauthorized Access to API Endpoint) Updated server to enforce integration permission restrictions correctly based on the system configuration. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.1.1 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Reducing Attack Surface) Moved to stronger algorithms for hashing email invitations, OAuth, and email verification tokens. Thanks to Carlos Tadeu Panato Junior for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.7.3.1 na na 2017-03-23 v3.7.3 and v3.6.5 (Preventing Remote Code Execution) Prevent System Administrator from uploading a SAML certificate into an arbitrary file location. Thanks to Martijn Korse for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.7.0.1 na na 2017-03-16 v3.7.0 and v3.6.3 (Preventing Unauthorized Access to API Endpoint) Updated server to prevent team creation without an authenticated account. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.6.2.1 na na 2017-01-31 v3.6.2 (Preventing Cross-Site Scripting) Updated the server to honor cross-origin settings for websocket connections. Thanks to Alex Garbutt for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.6.0.1 na na 2017-01-16 v3.6.0 and v3.5.2 (Preventing Cross-Site Scripting) Updated client to prevent links on error page from executing code. Thanks to Julien Ahrens for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.5.1.1 na na 2016-11-23 v3.5.1 (Reducing Attack Surface) Fixed a vulnerability where a user can by-pass email verification without needing to receive the email. Thanks to Alyssa Milburn for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.5.1.2 na na 2016-11-23 v3.5.1 (Preventing Cross-Site Scripting and Remote Code Execution) Updated client to prevent certain code files from being executed in the browser window when opened in a file preview. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.4.0.1 na na 2016-09-22 v3.4.0 (Reducing Attack Surface) Added protection against code injection vulnerabilities by overriding and disabling an eval function that allowed strings to be executed as code. Thanks to Kolja Lampe for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App
3.3.0.1 na na 2016-08-16 v3.3.0 (Preventing Message Spoofing) Fixed a vulnerability where a logged in user could use WebSockets to show pop-ups containing messages to users in place of desktop notifications, and also locally modify the appearance of posts. Thanks to Bastian Ike for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.2.0.1 na na 2016-07-16 v3.2.0 (Reducing Information Disclosure) Removed unused personal information from being returned in initial_load API. Thanks to Christer Mjellem Strand and Jonas Arneberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.2.0.2 na na 2016-07-16 v3.2.0 (Protecting Against Denial of Service Vulnerability) Fixed functionality that caused certain posts to freeze a reader’s browser. Thanks to Mohammad Razavi and Steve MacQuiddy for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.2.0.3 na na 2016-07-16 v3.2.0 (Reducing Information Disclosure) Fixed an injection vulnerability that could cause certain LDAP fields to be disclosed. Thanks to Bastian Ike for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.2.0.4 na na 2016-07-16 v3.2.0 (Reducing Attack Surface) Added protection against brute forcing a password change. Thanks to Ashish Pathak for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.1.0.1 na na 2016-06-16 v3.1.0 (Preventing Cross-Site Scripting) Updated server to prevent user from inadvertently including malicious content in theme color code values to execute Javascript code under the user’s credentials. Thanks to Uchida Taishi for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.1.0.2 na na 2016-06-16 v3.1.0 (Reducing Attack Surface) Added rel=’noreferrer noopener’ to all links using target=’_blank’ to reduce potential for cross-site scripting attack. Mattermost Server
3.0.2.1 na na 2016-05-17 v3.0.2 (Reducing Information Disclosure) Remove redundancy of Session ID and Session Token. Session Token limited to allowing login and Session ID limited to revoking sessions. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.1 na na 2016-05-16 v3.0.0 (Preventing Cross-Site Scripting) Sanitized hyperlink values specified by System Administrator in Legal and Support Settings to prevent cross-site scripting attack. Thanks to Uchida Taishi for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.2 na na 2016-05-16 v3.0.0 (Reducing Attack Surface) Limit system to one valid password reset link per user at a time to replace previous system which allowed reuse of password reset links. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy Mattermost Server
3.0.0.3 na na 2016-05-16 v3.0.0 (Reducing Information Disclosure) Deprecated API previously used by unauthenticated accounts to retrieve data on teams available on the server in order to find team URLs needed for login. This functionality is no longer needed in Mattermost 3.0 where users login by server, rather than by team. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.4 na na 2016-05-16 v3.0.0 (Reducing Attack Surface) SSL flag functionality added to SSL cookie placed on computer by Mattermost server under SSL connection, requiring SSL connection before the cookie’s information can be disclosed. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.5 na na 2016-05-16 v3.0.0 (Reducing Attack Surface) Removed unnecessary APIs for System Admin to change username and email address of LDAP users. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.6 na na 2016-05-16 v3.0.0 (Reducing Information Disclosure) Removed the ability for System Console UI to load credential fields stored in `config.json` in order to reduce information disclosure. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.7 na na 2016-05-16 v3.0.0 (Preventing Cross-Site Scripting) Removed ability to use Mattermost redirect URL to run Javascript. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.8 na na 2016-05-16 v3.0.0 (Reducing Attack Surface) Removed unused export APIs to reduce the number of ways a Team Administrator could access account information. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
2.2.0.1 na na 2016-04-16 v2.2.0 Updated server to prevent misuse of user authority from information stored in a user’s browser. Thanks to Jim Hebert of Fitbit Security for contributing to this improvement under the Mattermost responsible disclosure policy Mattermost Server
2.2.0.2 na na 2016-04-16 v2.2.0 (Preventing Cross-Site Scripting) Updated server to prevent malicious content from potentially executing a script under the credentials of a user who clicks a specially crafted link. Thanks to Uchida Ta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
2.2.0.3 na na 2016-04-16 v2.2.0 (Preventing Cross-Site Scripting and Remote Code Execution) Updated server to prevent files from being automatically opened in a browser window, which could be used to attack the system in multiple ways, including being used against the Mattermost desktop application to run programs on an end user’s computer. Thanks to Andreas Lindh contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
2.1.0.1 na na 2016-03-16 v2.1.0 (Preventing Cross-Site Request Forgery) Updated server to prevent malicious content from potentially executing a script under the credentials of a user who clicks a specially crafted link. Thanks to Luke Arntson for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
1.2.0.1 na na 2015-11-16 v1.2.0 (Protecting Against Denial of Service Vulnerability) Added file upload restrictions to prevent decompression of very large images from eating up very large portions of server memory after upload. Thanks to Paddy Steed for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server

Get the latest security updates delivered to your inbox.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.