Mattermost: >> Mattermost Server >> 1.2.0 Security Vulnerabilities
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-06-19
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.
CVSS Score
8.1
EPSS Score
0.002
Published
2020-06-19
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-06-19
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy.
CVSS Score
9.8
EPSS Score
0.005
Published
2020-06-19
An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-06-19