CVE-2019-20864
An issue was discovered in Mattermost Plugins before 5.13.0. The GitHub plugin allows an attacker to attach his Mattermost account to a different person’s GitHub account.
Source: CVE-2019-20864
[월:] 2020년 06월
CVE-2019-20851
CVE-2019-20851
An issue was discovered in Mattermost Mobile Apps before 1.26.0. An attacker can use directory traversal with the Video Preview feature to overwrite arbitrary files on a device.
Source: CVE-2019-20851
CVE-2019-20855
CVE-2019-20855
An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration.
Source: CVE-2019-20855
CVE-2019-20863
CVE-2019-20863
An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted.
Source: CVE-2019-20863
CVE-2019-20852
CVE-2019-20852
An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local logging is not blocked for sensitive information (e.g., server addresses or message content).
Source: CVE-2019-20852
CVE-2020-14460
CVE-2020-14460
An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001.
Source: CVE-2020-14460
CVE-2020-14456
CVE-2020-14456
An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006.
Source: CVE-2020-14456
CVE-2020-14457
CVE-2020-14457
An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.
Source: CVE-2020-14457
CVE-2020-14458
CVE-2020-14458
An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004.
Source: CVE-2020-14458
CVE-2020-14459
CVE-2020-14459
An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002.
Source: CVE-2020-14459