Search

Find a vulnerability

Search criteria

    3 vulnerabilities found for Mattermost Plugins by Mattermost

    CERTFR-2026-AVI-0173

    Vulnerability from certfr_avis - Published: 2026-02-16 - Updated: 2026-03-17

    De multiples vulnérabilités ont été découvertes dans les produits Mattermost. Elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et un problème de sécurité non spécifié par l'éditeur.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Mattermost Mattermost Plugins Mattermost Plugins versions 2.x antérieures à 2.3.1.0
    Mattermost Mattermost Desktop App Mattermost Desktop App versions antérieures à 5.13.4.0
    Mattermost Mattermost Plugins Mattermost Plugins versions 10.x antérieures à 10.11.11
    Mattermost Mattermost Server Mattermost Server versions 11.3.x antérieures à 11.3.1
    Mattermost Mattermost Server Mattermost Server versions 11.2.x antérieures à 11.2.3
    Mattermost Mattermost Server Mattermost Server versions 10.11.x antérieures à 10.11.11

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Mattermost Plugins versions 2.x ant\u00e9rieures \u00e0 2.3.1.0",
          "product": {
            "name": "Mattermost Plugins",
            "vendor": {
              "name": "Mattermost",
              "scada": false
            }
          }
        },
        {
          "description": "Mattermost Desktop App versions ant\u00e9rieures \u00e0 5.13.4.0",
          "product": {
            "name": "Mattermost Desktop App",
            "vendor": {
              "name": "Mattermost",
              "scada": false
            }
          }
        },
        {
          "description": "Mattermost Plugins versions 10.x ant\u00e9rieures \u00e0 10.11.11",
          "product": {
            "name": "Mattermost Plugins",
            "vendor": {
              "name": "Mattermost",
              "scada": false
            }
          }
        },
        {
          "description": "Mattermost Server versions 11.3.x ant\u00e9rieures \u00e0 11.3.1",
          "product": {
            "name": "Mattermost Server",
            "vendor": {
              "name": "Mattermost",
              "scada": false
            }
          }
        },
        {
          "description": "Mattermost Server versions 11.2.x ant\u00e9rieures \u00e0 11.2.3",
          "product": {
            "name": "Mattermost Server",
            "vendor": {
              "name": "Mattermost",
              "scada": false
            }
          }
        },
        {
          "description": "Mattermost Server versions 10.11.x ant\u00e9rieures \u00e0 10.11.11",
          "product": {
            "name": "Mattermost Server",
            "vendor": {
              "name": "Mattermost",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2026-25783",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-25783"
        },
        {
          "name": "CVE-2026-26246",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-26246"
        },
        {
          "name": "CVE-2026-2456",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2456"
        },
        {
          "name": "CVE-2026-2463",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2463"
        },
        {
          "name": "CVE-2026-2462",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2462"
        },
        {
          "name": "CVE-2026-24458",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-24458"
        },
        {
          "name": "CVE-2026-2457",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2457"
        },
        {
          "name": "CVE-2026-2458",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2458"
        }
      ],
      "initial_release_date": "2026-02-16T00:00:00",
      "last_revision_date": "2026-03-17T00:00:00",
      "links": [],
      "reference": "CERTFR-2026-AVI-0173",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2026-02-16T00:00:00.000000"
        },
        {
          "description": "Ajout de multiples identifiants et modification des risques.",
          "revision_date": "2026-03-17T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "D\u00e9ni de service \u00e0 distance"
        },
        {
          "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
        },
        {
          "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Mattermost. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Mattermost",
      "vendor_advisories": [
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00528",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00542",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00537",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00569",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00588",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00531",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00587",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00581",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00572",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00586",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00571",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00554",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00565",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00596",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00583",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00568",
          "url": "https://mattermost.com/security-updates/"
        },
        {
          "published_at": "2026-02-13",
          "title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00585",
          "url": "https://mattermost.com/security-updates/"
        }
      ]
    }

    CVE-2023-3613 (GCVE-0-2023-3613)

    Vulnerability from nvd – Published: 2023-07-17 15:31 – Updated: 2024-10-21 19:39
    VLAI
    Title
    Guest accounts invited and added to channels by Welcomebot plugin
    Summary
    Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Plugins Affected: 0 , ≤ 7.8.5 (semver)
    Affected: 0 , ≤ 7.10.2 (semver)
    Unaffected: 7.8.6
    Unaffected: 7.10.3
    Create a notification for this product.
    Credits
    Jason Frerich
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:01:56.920Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3613",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-21T19:38:31.157096Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-21T19:39:44.854Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Mattermost Plugins",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "7.8.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "7.10.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "7.8.6"
                },
                {
                  "status": "unaffected",
                  "version": "7.10.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Jason Frerich"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing\u0026nbsp;guest accounts to be added or invited to channels by default. \u003c/p\u003e"
                }
              ],
              "value": "Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing\u00a0guest accounts to be added or invited to channels by default. \n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-17T15:31:23.674Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost to versions 7.8.6,\u0026nbsp;7.10.3 or higher. Alternatively, update the WelcomeBot plugin to version 1.3.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost to versions 7.8.6,\u00a07.10.3 or higher. Alternatively, update the WelcomeBot plugin to version 1.3.0 or higher.\n\n"
            }
          ],
          "source": {
            "advisory": "MMSA-2023-00186",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-52564"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Guest accounts invited and added to channels by Welcomebot plugin",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2023-3613",
        "datePublished": "2023-07-17T15:31:23.674Z",
        "dateReserved": "2023-07-11T08:28:36.132Z",
        "dateUpdated": "2024-10-21T19:39:44.854Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3613 (GCVE-0-2023-3613)

    Vulnerability from cvelistv5 – Published: 2023-07-17 15:31 – Updated: 2024-10-21 19:39
    VLAI
    Title
    Guest accounts invited and added to channels by Welcomebot plugin
    Summary
    Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Plugins Affected: 0 , ≤ 7.8.5 (semver)
    Affected: 0 , ≤ 7.10.2 (semver)
    Unaffected: 7.8.6
    Unaffected: 7.10.3
    Create a notification for this product.
    Credits
    Jason Frerich
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:01:56.920Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3613",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-21T19:38:31.157096Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-21T19:39:44.854Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Mattermost Plugins",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "7.8.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "7.10.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "7.8.6"
                },
                {
                  "status": "unaffected",
                  "version": "7.10.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Jason Frerich"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing\u0026nbsp;guest accounts to be added or invited to channels by default. \u003c/p\u003e"
                }
              ],
              "value": "Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing\u00a0guest accounts to be added or invited to channels by default. \n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-17T15:31:23.674Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost to versions 7.8.6,\u0026nbsp;7.10.3 or higher. Alternatively, update the WelcomeBot plugin to version 1.3.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost to versions 7.8.6,\u00a07.10.3 or higher. Alternatively, update the WelcomeBot plugin to version 1.3.0 or higher.\n\n"
            }
          ],
          "source": {
            "advisory": "MMSA-2023-00186",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-52564"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Guest accounts invited and added to channels by Welcomebot plugin",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2023-3613",
        "datePublished": "2023-07-17T15:31:23.674Z",
        "dateReserved": "2023-07-11T08:28:36.132Z",
        "dateUpdated": "2024-10-21T19:39:44.854Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }