CVE-2020-14455

An issue was discovered in Mattermost Desktop App before 4.4.0. Prompting for HTTP Basic Authentication is mishandled, allowing phishing, aka MMSA-2020-0007.

Source: CVE-2020-14455

CVE-2020-14449

An issue was discovered in Mattermost Mobile Apps before 1.30.0. Authorization tokens can sometimes be disclosed to third-party servers, aka MMSA-2020-0018.

Source: CVE-2020-14449

CVE-2020-14448

An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020.

Source: CVE-2020-14448

CVE-2020-14447

An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021.

Source: CVE-2020-14447

CVE-2020-14450

An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017.

Source: CVE-2020-14450

CVE-2020-14451

An issue was discovered in Mattermost Mobile Apps before 1.29.0. The iOS app allowed Single Sign-On cookies and Local Storage to remain after a logout, aka MMSA-2020-0013.

Source: CVE-2020-14451

CVE-2020-14454

An issue was discovered in Mattermost Desktop App before 4.4.0. Attackers can open web pages in the desktop application because server redirection is mishandled, aka MMSA-2020-0008.

Source: CVE-2020-14454

CVE-2020-14453

An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005.

Source: CVE-2020-14453

CVE-2020-14452

An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.

Source: CVE-2020-14452

CVE-2019-20842

An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels.

Source: CVE-2019-20842