10 KiB
10 KiB
Mattermost
LAB ONLY|AUTHORIZED TARGETS ONLY| 自动生成索引
- 系统 ID:
mattermost - 分类:
platforms - 覆盖策略:
rolling-24m - 总案例数:
36 - 近 30 天新增/更新:
24 - 重点 Markdown 案例数:
36 - 已实证(真实版本):
0 - 已实证(synthetic):
0 - 阻塞数:
0 - 待人工/缺浏览器证据:
36 - 最近渲染时间:
2026-04-01T09:21:04+00:00
目标约束
- 适用目标类型:
lab-local, lab-public, authorized-third-party - 是否允许公网验证:
yes, but ownership or authorization is required - 授权前提: 资产归属可证明,或已取得书面/明确授权。
- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
- 禁止场景: 无归属证明或无明确授权的公网目标;知名公共网站或与测试无关的第三方资产;会造成持久破坏、数据越权下载或不可回滚影响的动作
来源
officialMattermost Security Updates (mode=core)officialNVD Mattermost (keyword=Mattermost; mode=core)officialMattermost Security Updates JSON (mode=core)ecosystem-authorityOSV Mattermost (mode=core)
案例列表
| 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
|---|---|---|---|---|---|---|---|
| Issue Identifier | severity |
generated |
triage-manual |
synthetic |
official |
Fix Release Date |
link |
| Mattermost doesn't set permissions on downloaded bulk export | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-31T23:19:38.844657Z |
link |
| Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-31T05:32:49.079377Z |
link |
| Mattermost doesn't rate limit login requests, allowing DoS | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-31T05:31:41.869147Z |
link |
| Mattermost fails to validate user's authentication method when processing account auth type switch | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-23T18:56:23.696710Z |
link |
| Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-23T18:56:08.125706Z |
link |
| Mattermost fails to properly enforce read permissions in search API endpoints | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-23T18:55:57.125165Z |
link |
| Mattermost fails to use consistent error responses when handling the /mute command | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-23T18:56:15.398070Z |
link |
| Mattermost fails to validate team-specific upload_file permissions | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-23T18:56:04.837800Z |
link |
| Mattermost fails to limit the size of responses from integration action endpoints | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-26T21:11:03.241919Z |
link |
| Mattermost allows a removed team member to enumerate all public channels within a private team | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-23T18:56:02.455815Z |
link |
| Mattermost fails to filter invite IDs based on user permissions | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-23T18:56:08.610141Z |
link |
| Mattermost fails to preserve the redacted state of burn-on-read posts during deletion | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-23T18:56:01.583567Z |
link |
| Mattermost fails to properly handle very long passwords | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-23T18:56:03.732922Z |
link |
| Mattermost allows attackers to spoof permalink embeds | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-23T18:56:18.286997Z |
link |
| Mattermost fails to bound memory allocation when processing DOC files | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-23T18:56:18.467718Z |
link |
| Mattermost fails to properly validate User-Agent header tokens | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-26T21:11:24.090883Z |
link |
| Mattermost fails to bound memory allocation when processing PSD image files | low |
generated |
triage-manual |
synthetic |
ecosystem-authority |
2026-03-23T18:56:08.918090Z |
link |
| MMSA-2026-00574 | medium |
generated |
triage-manual |
synthetic |
official |
2026-03-16 |
link |
| MMSA-2026-00603 | low |
generated |
triage-manual |
synthetic |
official |
2026-03-16 |
link |
| MMSA-2026-00624 | medium |
generated |
triage-manual |
synthetic |
official |
2026-03-16 |
link |
| MMSA-2026-00625 | medium |
generated |
triage-manual |
synthetic |
official |
2026-03-16 |
link |
| MMSA-2026-00610 | low |
generated |
triage-manual |
synthetic |
official |
2026-03-10 |
link |
| MMSA-2026-00611 | low |
generated |
triage-manual |
synthetic |
official |
2026-03-10 |
link |
| MMSA-2026-00621 | high |
generated |
triage-manual |
synthetic |
official |
2026-03-05 |
link |
| MMSA-2025-00562 | medium |
generated |
triage-manual |
synthetic |
official |
2026-02-24 |
link |
| MMSA-2026-00584 | low |
generated |
triage-manual |
synthetic |
official |
2026-02-24 |
link |
| MMSA-2026-00589 | medium |
generated |
triage-manual |
synthetic |
official |
2026-02-24 |
link |
| MMSA-2026-00593 | medium |
generated |
triage-manual |
synthetic |
official |
2026-02-24 |
link |
| MMSA-2026-00594 | medium |
generated |
triage-manual |
synthetic |
official |
2026-02-24 |
link |
| MMSA-2026-00598 | medium |
generated |
triage-manual |
synthetic |
official |
2026-02-24 |
link |
| MMSA-2026-00599 | high |
generated |
triage-manual |
synthetic |
official |
2026-02-24 |
link |
| MMSA-2025-00566 | medium |
generated |
triage-manual |
synthetic |
official |
2026-02-23 |
link |
| MMSA-2026-00578 | medium |
generated |
triage-manual |
synthetic |
official |
2026-02-23 |
link |
| MMSA-2026-00590 | medium |
generated |
triage-manual |
synthetic |
official |
2026-02-23 |
link |
| MMSA-2026-00595 | medium |
generated |
triage-manual |
synthetic |
official |
2026-02-23 |
link |