Monthly Archive: June 2020

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else’s account. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints. Date published : 2020-06-19 https://mattermost.com/security-updates/

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document. Date published : 2020-06-19 https://mattermost.com/security-updates/