CVE-2017-18875

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.

Source: CVE-2017-18875

CVE-2018-21260

An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy.

Source: CVE-2018-21260

CVE-2018-21248

An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials.

Source: CVE-2018-21248

CVE-2018-21258

An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command.

Source: CVE-2018-21258

CVE-2018-21250

An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions.

Source: CVE-2018-21250

CVE-2018-21261

An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges.

Source: CVE-2018-21261

CVE-2018-21249

An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing.

Source: CVE-2018-21249

CVE-2018-21253

An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user.

Source: CVE-2018-21253

CVE-2018-21254

An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command.

Source: CVE-2018-21254

CVE-2018-21255

An issue was discovered in Mattermost Server before 5.1. Non-members of a channel could use the Channel PATCH API to modify that channel.

Source: CVE-2018-21255