Mattermost Security Updates

To report security issues please see the Mattermost Responsible Disclosure Policy. To sign up for notifications when a security fix is released, please join our Security Bulletin mailing list.

Mattermost software undergoes security review and penetration testing by organizations preparing for deployment, by leaders in the global security research community, and through internal review and testing.

Feedback is responsibly shared to the product team in order to offer security updates to the Mattermost community prior to publicly disclosing issues on the Mattermost Security Updates page.

Note: To increase the safety of Mattermost users, specific details on security updates in Mattermost releases are announced 30 days after the availability of the update. We have a mandatory upgrade policy and only provide updates for the latest release.

Issues

Issue Identifier Severity Affected Versions Fix Release Date Fix Versions Issue Details Issue Platform
MMSA-2020-0028 Low All 2020-09-16 v5.27.0

Details on the security update will be posted here on October 16th, as per our Responsible Disclosure Policy.

Mattermost Server
MMSA-2020-0030 High v5.20.x to v5.26.x, excluding v5.25.5 and v5.26.2 2020-09-03 v5.25.5, 5.26.2

Details on the security update will be posted here on October 5th, as per our Responsible Disclosure Policy.

Mattermost Server
MMSA-2020-0025 Low All 2020-07-16 v1.33.0

(Denial of Service) Fixed an issue where specifically crafted Markdown could crash the Android version of the application. Thanks to Jorge Ferreira and Patrick Sukop from Blaze Information Security for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2020-0024 Low All 2020-07-16 v5.25.0

(Authorization) Fixed an issue where plugins could fail to enforce team-level permissions under specific circumstances. Thanks to Christopher Speller for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0027 High All 2020-07-13 v4.5.1

(Third Party Library Vulnerability) Fixed Electron security issues CVE-2020-15096, CVE-2020-4077, CVE-2020-4075, and CVE-2020-4076.

Mattermost Desktop App
MMSA-2020-0023 Low All 2020-06-16 v5.24.0

(Denial of Service) Fixed an issue where a large crafted Markdown message could have caused high resource consumption in the client. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0019 Low All 2020-06-16 v5.24.0

(Information Disclosure) Fixed an issue where authenticated users could gain access to private teams for a limited time in some configurations. Thanks to Jonathan (0xghostwriter) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0022 High v1.31.0 2020-05-27 v1.31.2

(Information Disclosure) Fixed an issue where 1.31.0 Build 293 of the iOS app could leak authorization tokens to 3rd-party servers under specific configurations. A newer unaffected build was already available prior to discovering this issue. Thanks to Jorge Ferreira, Wilberto Filho and Julio Fort from Blaze Information Security for notifying Mattermost under the responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2020-0021 Low v5.22.0, v5.19.2 2020-05-16 v5.23.0

(Denial of Service) Fixed an issue where large webhook requests could send the server into an infinite loop.

Mattermost Server
MMSA-2020-0020 Low All 2020-05-16 v5.23.0

(Denial of Service) Fixed an issue where automatic direct message replies could cause an infinite loop leading to Denial of Service. Thanks to Doug Lauder for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0018 High v1.29.0 2020-04-16 v1.30.0

(Information Disclosure) Fixed an issue where authorization tokens could be leaked to 3rd-party servers under specific configurations. Thanks to Mikael Berthe for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2020-0017 Low All 2020-04-16 v5.22.0

(Denial of Service) Fixed an issue with a potential client-side Denial of Service vulnerability in the markdown renderer. Thanks to James Hall from MDSec Labs for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0013 Low All 2020-03-16 v1.29.0

(Information Disclosure) Fixed an issue where the iOS app did not clear SSO cookies and local storage on logout. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps
MMSA-2020-0014 Low All 2020-03-16 v5.21.0

(Injection) Fixed an issue with an HTTP path traversal in mmctl. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0005 Low All 2020-03-16 v5.21.0

(Denial of Service) Fixed an issue where unbounded reads from socket could lead to Denial of Service. Thanks to Lev Brouk for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0008 Low All 2020-02-16 v4.4.0

(Reducing Attack Surface) Fixed an issue where unvalidated Mattermost server redirection could allow opening arbitrary web pages in the desktop app. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2020-0007 Low All 2020-02-16 v4.4.0

(Phishing) Fixed an issue where HTTP Basic authentication prompts could be used for phishing. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2020-0006 Medium All 2020-02-16 v4.4.0

(Authorization) Fixed an issue where 3rd-party origins could be granted access to restricted web APIs. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App
MMSA-2020-0012 Low All 2020-02-16 v5.20.0

(Authorization) Fixed an issue where the ‘update_team’ WebSocket event could broadcast team details to non-members. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0004 Low All 2020-01-16 v5.19.0

(Information Disclosure) Fixed an issue where the existence of private channels was exposed by get channel by name API. Thanks to Harison Healey for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server
MMSA-2020-0002 Low All 2020-01-16 v5.19.0 (Input validation) Fixed an issue where channels could be renamed to collide with direct messages. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
MMSA-2020-0001 High All 2020-01-16 v5.19.0 (Authorization) Fixed an issue where non-admin users could create trusted OAuth apps. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
MMSA-2020-0001 High All 2020-01-08 v5.18.1, 5.17.3, 5.16.5, 5.9.8 (Privilege Escalation) Fixed an issue where non-admin users could create trusted OAuth apps. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.17.2.4 High na 2019-12-18 v5.17.2, 5.16.4, 5.15.4, 5.9.7 (Cross-Site Request Forgery) Fixed an issue where a malicious website could take over user accounts via CSRF in specific server configurations. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.17.2.3 High na 2019-12-18 v5.17.2, 5.16.4, 5.15.4, 5.9.7 (SQL Injection) Fixed an issue where server administrators could inject arbitrary SQL SELECT queries to the database through the SearchAllChannels functionality. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.17.2.2 High na 2019-12-18 v5.17.2, 5.16.4, 5.15.4, 5.9.7 (Improper Access Control) Fixed an issue with configuration files being assigned unnecessarily permissive modes, potentially enabling privilege escalation. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.17.2.1 High na 2019-12-18 v5.17.2, 5.16.4, 5.15.4, 5.9.7 (Improper Access Control) Fixed an issue where changing a channel’s type allowed logged-in users to spoof a direct message channel between two users in specific conditions. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.7 na na 2019-12-16 v5.18.0 (Denial of Service) Fixed an issue where a large Slack import could cause the server to run out of memory, leading to Denial of Service. Thanks to Abhisek Datta (abhisek) for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.6 Low na 2019-12-16 v5.18.0 (Improper Access Control) Fixed an issue where server-local file storage was assigning unnecessarily permissive modes to files and directories. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.5 Low na 2019-12-16 v5.18.0 (Improper Access Control) Fixed an issue where users could send ‘user_typing’ WebSocket events to arbitrary channels. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.4 High na 2019-12-16 v5.18.0 (Cross-Site Request Forgery) Fixed an issue where a malicious website could take over user accounts via CSRF in specific server configurations. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.3 High na 2019-12-16 v5.18.0 (SQL Injection) Fixed an issue where server administrators could inject arbitrary SQL SELECT queries to the database through the SearchAllChannels functionality. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.2 High na 2019-12-16 v5.18.0 (Improper Access Control) Fixed an issue with configuration files being assigned unnecessarily permissive modes, potentially enabling privilege escalation. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.18.0.1 High na 2019-12-16 v5.18.0 (Improper Access Control) Fixed an issue where changing a channel’s type allowed logged-in users to spoof a direct message channel between two users in specific conditions. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
1.26.0.5 Low na 2019-12-16 v1.26.0 (Input Validation) Fixed an issue where specifically crafted replies via the quick reply functionality could cause unexpected behavior. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps
1.26.0.4 Medium na 2019-12-16 v1.26.0 (Information Disclosure) Fixed an issue where cookie data was not cleared from the device on logout. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps
1.26.0.3 Low na 2019-12-16 v1.26.0 (Information Disclosure) Fixed an issue where web view caches were not cleared from the device on logout. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps
1.26.0.2 Medium na 2019-12-16 v1.26.0 (Path Traversal) Fixed an issue where video preview functionality could be used to overwrite arbitrary files on the device. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps
1.26.0.1 Low na 2019-12-16 v1.26.0 (Information Disclosure) Fixed an issue where sensitive data such as server addresses and message contents could end up in local device logs. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps
na na na 2019-11-19 v5.16.3 (Reducing Attack Surface) Fixed an issue where a Droplet could expose a vulnerable service to the internet, potentially leading to a remote code execution attack on the server. Mattermost Packages
5.17.0.1 Medium na 2019-11-16 v5.17.0 (Denial of Service) Fixed an issue where a specifically crafted latex message could cause a client-side crash of the web application. Mattermost Server
5.16.1.1 High na 2019-10-24 v5.16.1, 5.15.2, 5.14.5, 5.9.6 (Information Disclosure) Fixed an issue where a legacy attachment migration could lead to leakage of other local files on upgraded and not upgraded legacy systems. Thanks to Roman Shchekin for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.3.0.1 Medium na 2019-10-17 v4.3.0 (Code Injection) Fixed an issue with Mattermost macOS client dylib injection vulnerability. Thanks to Csaba Fitzl for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App
5.16.0.1 na na 2019-10-16 v5.16.0 (Denial of Service) Fixed an issue where posts with several thousand backsticks hung markdown renderer. Mattermost Server
5.15.0.2 na na 2019-09-16 v5.15.0 (Denial of Service) Fixed an issue where some APIv4 endpoints were not handling special characters of SQL like-statement which could lead to ReDoS (high CPU usage in database server). Thanks to Roman Shchekin for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.15.0.1 na na 2019-09-16 v5.15.0 (Improper Access Control) Fixed an issue where Access control restriction could be bypassed via a specially crafted input during login. Thanks to Roman Shchekin for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.13.3.1 na na 2019-08-22 v5.13.3, 5.12.6, 5.9.4 (Denial of Service) Fixed an issue where a specifically constructed SVG could be uploaded which would cause the web and desktop apps to freeze when viewing that channel. Thanks to severus for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.14.0.1 Medium na 2019-08-16 v5.14.0 (Denial of Service) Fixed an issue where a specifically constructed SVG could be uploaded which would cause the web and desktop apps to freeze when viewing that channel. Thanks to severus for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.2.1 High na 2019-08-07 v4.2.2 (Remote Code Execution) Mitigated a remote code execution vulnerability where a specifically crafted link could invoke code in specific circumstances. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App
5.13.0.2 Low na 2019-07-16 v5.13.0 (Authorization) Enforced team membership when fetching slash commands that are enabled for a team. Thanks to Ashish Padelkar for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.13.0.1 Low na 2019-07-16 v5.13.0 (Authorization) Added more explicit checks for incoming webhook creation. Thanks to Aryan Rupala for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.13.0.3 na na 2019-07-16 v5.13.0 (Authorization) Fixed an issue with GitHub plugin where user was able to attach their Mattermost account to a victim’s GitHub account. Thanks to Christopher Speller for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Plugins
5.11.1.1 na na 2019-06-21 v5.11.1, 5.10.2, 5.9.2, 4.10.10 (CSRF) Added protection against CSRF attacks on the login page. Thanks to Zonduu for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.12.0.2 Medium na 2019-06-16 v5.12.0 (CSRF) Added protection against CSRF attacks on the login page. Thanks to Zonduu for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.12.0.1 Low na 2019-06-16 v5.12.0 (Input Validation) Added a configuration flag to explicitly enable Source IP overwrites using proxy overwrite headers. Thanks to prefix for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.11.0.2 Low na 2019-05-16 v5.11.0 (Denial of Service) Fixed an issue where a specific post could prevent loading all posts in that channel. Thanks to vincentbab for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.11.0.1 na na 2019-05-16 v5.11.0 (Input Validation) Moved generation of invite ids to a more secure function. Thanks to Bruno Bierbaumer for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.1.1 na na 2019-04-24 v5.9.1, 5.8.2, 4.10.9 (Authorization) Fixed an issue where Update/Patch Channel endpoint could accept changes from non-members for private channels. Thanks to Leandro Chaves for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.10.0.2 High na 2019-04-16 v5.10.0 (Authorization) Fixed an issue where Update/Patch Channel endpoint could accept changes from non-members for private channels. Thanks to Leandro Chaves for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.10.0.1 Medium na 2019-04-16 v5.10.0 (Input Validation) Fixed an issue where a user could modify the file IDs of a POST without showing the edited flag. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.8 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Denial of Service) A case of catastrophic backtracking within the Markdown library. Thanks to esosnov for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.7 Medium na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Reducing Attack Surface) Added additional protection against SSRF attacks to services running on the Mattermost server itself. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.6 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Information Disclosure) An information disclosure related to user activation/deactivation, where session information of the admin could be leaked to the system user. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.5 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Information Disclosure) An information disclosure related to role changes, where session information of the admin could be leaked to the system user. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.4 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Reducing Attack Surface) Invalidated tokens for password resets when a eMail change is being executed. Thanks to mga_bobo for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.3 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Denial of Service) A user was able to deactivate himself when the option was disabled. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.2 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Authorization) Enhanced the authentication flow to avoid disclosing whether a user had two-factor authentication enabled or not. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.9.0.1 na na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Phishing) Enhanced eMail verification when change is attempted from within the application. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.6 na na 2019-02-16 v5.8.0, 5.7.2, 5.6.5, 4.10.7 (Reducing Attack Surface) User was allowed to modify Email address without re-entering their credentials. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.4 na na 2019-02-16 v5.8.0, 5.7.2, 5.6.5, 4.10.7 (Denial of Service) Added mitigation to the possibility of high memory usage through external requests caused by OpenGraph data. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.8 Low na 2019-02-16 v5.8.0 (Input Validation) Applied login attempt to MFA to prevent brute forcing. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.7 na na 2019-02-16 v5.8.0 (Authorization) Anyone could join an open team even when a domain was specified. Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.5 na na 2019-02-16 v5.8.0 (Authorization) Users could pin/unpin posts when the experimental “read only Town Square” configuration setting was enabled. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.3 na na 2019-02-16 v5.8.0 (Reducing Attack Surface) Removed the ability for a single file to become partly attached to multiple posts. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.2 na na 2019-02-16 v5.8.0 (Information Disclosure) Added automatic robots.txt file to prevent search engines crawling Mattermost by default. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.8.0.1 na na 2019-02-16 v5.8.0 (Reducing Attack Surface) Improved the creation flow for the first user to make it harder to accidentally make a user system admin. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.7.1.1 na na 2019-02-01 v5.7.1, 5.6.4, 5.5.3 and 4.10.6 (Information Disclosure) A registered user was allowed to receive posts within the team without the required permissions through the flags API. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.7.0.3 na na 2019-01-16 v5.7, 5.6.3, 5.5.2, 4.10.5 (Denial of Service) A malicious outgoing webhook or slash command integration could cause the server to run out of memory. Thanks to Boyd Ansems of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.7.0.1 na na 2019-01-16 v5.7, 5.6.3, 5.5.2, 4.10.5 (Authorization) The permissions required for a user to create a user access token were unclear so they could be configured incorrectly when setting up Mattermost. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.7.0.2 na na 2019-01-16 v5.7 (Information Disclosure) A user who could not view other users’ email addresses could confirm a user has a known email address. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.4.0.1 na na 2018-10-16 v5.4.0 (Authorization) The client could hold and send unnecessary authentication credentials. Thanks to Christopher Speller for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.3.0.2 na na 2018-09-16 v5.3.0 (Reducing Attack Surface) Fixed a potential timing attack. Thanks to Ben Burke for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.3.0.1 na na 2018-09-16 v5.3.0 Alpine Linux was updated to fix a vulnerability reported responsibly to the Alpine Linux project by Max Justicz. Mattermost Server
5.2.0.3 na na 2018-09-16 v5.2.2, 5.1.2, 4.10.4 (Denial of Service) A specially-crafted image with large dimensions and a small file size could be uploaded as an emoji, causing the server to use excess amounts of memory and possibly crash. Thanks to Soroush Dalili from NCC Group for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.2.0.2 na na 2018-08-16 v5.2, 5.1.1 (Authorization) “updateChannel“ endpoint would not check if the channel ID is the same in params and body. Thanks to Đặng Minh Trí for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.2.0.1 na na 2018-08-16 v5.2, 5.1.1, 5.0.3, 4.10.3 (Authorization) Users would be able to bypass email signup domain restriction by listing multiple emails. Thanks to Đặng Minh Trí for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.1.1.5 na na 2018-07-16 v5.1, 5.0.2, 4.10.2 (Authorization) “invite_people“ slash command would allow any logged in user to invite users to the team/server without checking the relevant permissions. Thanks to Daniel Schalla for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.1.1.6 na na 2018-07-16 v5.1 (Authorization) Message slash command would allow user to create direct message channels without the requisite permission being granted. Thanks to Daniel Schalla for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.1.1.4 na na 2018-07-16 v5.1 (Authorization) Channel PATCH API would allow modification of Direct and Group message channels by users who were not a member of those channels. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.1.1.3 na na 2018-07-16 v5.1 (Authorization) Group message slash command would allow user to create group message channels without the requisite permission being granted. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.1.1.2 na na 2018-07-16 v5.1 (Authorization) Channel header slash command API could be exploited to set the header of Direct Message and Group Message channels as a user who does not have access to those channels. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
5.1.1.1 na na 2018-07-16 v5.1 (Denial of Service) “/invite_people“ slash command could be used to cause a DOS attack. Thanks to Daniel Schalla for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.10.1.1 na na 2018-06-04 v4.10.1, 4.9.4, 4.8.2 (Denial of Service) Viewing a channel containing a malformed link could cause the app to freeze. Thanks to Eric Sethna for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.8.1.2 na na 2018-04-09 v4.8.1, 4.7.4, 4.6.3 (Information Disclosure) A System Admin editing a user would unintentionally send a Websocket event with the user’s email address and other personal information ignoring the privacy settings. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.8.1.1 na na 2018-04-09 v4.8.1, 4.7.4, 4.6.3 (Authorization) The team invite_id was disclosed through email invites, allowing a user to invite themselves repeatedly to a team and invite others. Thanks to Jesús Espino for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.1.1 na na 2018-03-28 v4.0.1 (Reducing Attack Surface) Node.js was allowed to be re-enabled in some Electron applications that disable it. This vulnerability was found and reported responsibly to the Electron project by Brendan Scarvell of Trustwave SpiderLabs. Mattermost Desktop App
4.7.3.1 na na 2018-03-09 v4.7.3 (Denial of Service) Viewing a post containing invalid Latex code would cause an error that crashed the app. Thanks to Jan Wissmann for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.7.0.1 na na 2018-02-23 v4.7.0, 4.6.2, 4.5.2 (Authorization) SAML responses could be used beyond their expiration dates and maliciously crafted SAML responses could allow users to authenticate as any other user. Thanks to Brad Berkemier for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.1 na na 2018-01-30 v4.0.0 (Reducing Attack Surface) Use setPermissionRequestHandler to request permissions for various actions such as video/audio usage and notifications from untrusted origins. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App
4.5.0.2 na na 2017-12-16 v4.5.0, 4.4.5, 4.3.4 (Authorization) When configured to allow non-admins to create webhooks (“EnableOnlyAdminIntegrations” set to false), users were able to forge requests that allow them to edit other users’ webhooks. Thanks to Linda Mitchell for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.5.0.1 na na 2017-12-16 v4.5.0, 4.4.5, 4.3.4, 4.2.2 (Denial of Service) Viewing a post containing @ followed by certain built-in JavaScript field names would cause an error that crashes the app. Thanks to Tobias Gruetzmacher for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.4.0.1 na na 2017-12-05 v4.4.3, 4.3.3 (Authorization) When using Mattermost as an OAuth 2.0 service provider and allowing non-admin users to manage integrations (“EnableOnlyAdminIntegrations” set to false), an attacker with a user account could forge a request allowing the updating of an OAuth app’s name, description, icon, homepage and callback URLs. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.3.0.1 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Denial of Service) Fixed an issue where improperly formatted posts could cause the channel to not appear. Mattermost Server
4.3.0.2 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Input Validation) Fixed an issue allowing users with System Admin permissions upwards path traversal, arbitrary file creation and boolean file checking on systems using local storage for files. Systems using other file storage methods allowed only arbitrary file creation and boolean file checking. Mattermost Server
4.3.0.3 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Cross-site Scripting) Fixed an issue where script could be injected into the allow/deny OAuth 2.0 page. Mattermost Server
4.3.0.4 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Authentication) Fixed a vulnerability where any logged in user could revoke another user’s session if they had somehow obtained the session ID. Mattermost Server
4.3.0.5 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Cross-site Scripting) Prevented author_link and title_link fields in Slack attachments from containing JavaScript links. Mattermost Server
4.3.0.6 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Cross-site Scripting) Prevented JavaScript injection using the goto_location response to a slash command. Mattermost Server
4.3.0.7 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Cross-site Scripting) Prevented JavaScript injection using OpenGraph data received from a malicious web page. Mattermost Server
4.3.0.8 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Authorization) Prevented code prediction and possible access to user accounts due to weak entropy in authorization code generation when using Mattermost as an OAuth 2.0 Service Provider. Mattermost Server
4.3.0.9 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Authorization) Prevented registered OAuth applications from being able to privilege escalate with personal access tokens or by accessing other API endpoints on behalf of the user. Mattermost Server
4.3.10 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Input Validation) Prevented users from executing slash commands against a channel that belongs to a team in which they don’t have permission to use slash commands. Mattermost Server
4.3.11 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Information Disclosure) Fixed the team creators email being returned to team members with the team object Mattermost Server
4.3.12 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Reducing Attack Surface) Prevented potential SQL injection by parameterizing the SQL query used for fetching multiple posts from the database. Mattermost Server
4.3.13 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Input Validation) Fixed a vulnerability where users could create fake system message posts via webhooks and slash commands through the v3 and v4 REST API Mattermost Server
4.3.14 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Input Validation) Fixed a vulnerability where action buttons could be crafted to execute certain API requests on behalf of the user that clicks them. Mattermost Server
4.2.0.1 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Phishing) Removed the ability for error pages to display custom links. Thanks to Andrey Dyatlov for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.2 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Reducing Attack Surface) Fixed an issue where certain fields in email templates could contain unescaped HTML. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.3 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Preventing Cross-Site Scripting) Fixed an issue where channel display names containing unescaped HTML would be rendered in posts. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.4 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Preventing Unauthorized Access) When using Mattermost as an OAuth 2.0 service provider and allowing non-admins to create integrations, users could register OAuth 2.0 applications as trusted and bypass the resource owner authorization step. As a result, the application could gain access to a logged-in Mattermost user who clicks on a link to that application. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.5 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Preventing Unauthorized Access) REST API version 4 endpoints for getting user statuses did not require active sessions. Information about user statuses could then be revealed to unauthenticated users. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.6 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Preventing Unauthorized Access) REST API version 3 logging endpoint could allow unauthenticated users to post DEBUG statements to the server logs. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.7 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Reducing Attack Surface) When using Mattermost as an OAuth 2.0 service provider, a user clicking deny could still be redirected to the provided redirect_uri. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.8 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Denial of Service) Fixed an issue where certain posts could cause the browser to freeze. Thanks to Johannes Kastenfrosch for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.2.0.9 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Reducing Attack Surface) Increased robustness of per-IP-address rate-limiting. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.7.1.1 na na 2017-08-30 v3.7.1 (Reducing Attack Surface) Revoked trust for certificates issued by the StartCom/WoSign Certificate Authorities (CA). Thanks to Aaron Siegel from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App
4.1.0.1 na na 2017-08-16 v4.1.0, 4.0.4 and 3.10.3 (Injection) Fixed a scenario where exporting a compliance report to CSV could allow formulas to run inside other applications, such as Microsoft Excel. Thanks to David Dworken for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.1.0.2 na na 2017-08-16 v4.1.0, 4.0.4 and 3.10.3 (Unauthenticated API Access) Fixed a scenario where team JSON, including team invite IDs, could be retrieved from the server without logging in and using only the team name. Thanks to Đỗ Minh Tuấn and Thanh Nguyen Van Tien for contributing to this improvement under the Mattermost responsible disclosure policy.an Mattermost Server
4.1.0.3 na na 2017-08-16 v4.1.0, 4.0.4 and 3.10.3 (API Data Leak) Fixed a scenario where team invite IDs could be leaked to logged in users through some team API endpoints. Thanks to Đỗ Minh Tuấn and Thanh Nguyen Van Tien for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.1 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Cross-site Request Forgery) Fixed a scenario where servers with CORS enabled could allow CSRF (cross-site request forgery) from unintended origins. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.2 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Cross-site Scripting) Updated server to ensure that uploaded non-image files are always downloaded instead of displayed on a browser. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.3 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Failure to Invalidate Sessions) When using Mattermost as an OAuth 2.0 service provider, deleting a registered OAuth application would not revoke existing sessions in use by that application. New sessions for that application would not be created. Old sessions will still expire after the regular period. Thanks to Lindsay Brock for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.4 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (SSO Vulnerability) A user with an account on an SSO OAuth2 provider (e.g. GitLab) could forge a request to claim an existing Mattermost account. Only affects Mattermost servers with GitLab single sign-on or Mattermost Enterprise Edition servers with Office365 or G Suite single sign-on enabled. The attack is not stealthy, victim would be notified of the account change by email and would not be able to log in to their account. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.5 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Cross-site Scripting) Prevented channel header from rendering raw html for users that have post formatting disabled. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
4.0.0.6 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Reducing Attack Surface) Updated server to ensure that the password reset email is always sent to the user’s email from the database, not the email entered into the password reset form, to avoid risk of database collation. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.9.0.1 na na 2017-05-16 v3.9.0 (Reducing Attack Surface) Updated server to enforce encryption and signature verification by default when SAML is enabled. Mattermost Server
3.8.0.1 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Message Spoofing) Fixed a vulnerability where a user can cause email notifications to include arbitrary links. Thanks to Martijn Korse, Jelle Kroon, Ömer Coskun and Bernardo Maia Rodrigues of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.0.2 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Reducing Attack Surface) Updated server to prevent skipping the certificate verification when connecting to an email server over TLS. Thanks to Martijn Korse, Jelle Kroon, Ömer Coskun and Bernardo Maia Rodrigues of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.0.3 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Remote Code Execution) Updated server to allow only the path for the Mattermost log file instead of the full path and file name. Thanks to Martijn Korse, Jelle Kroon, Ömer Coskun and Bernardo Maia Rodrigues of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.0.4 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Cross-Site Scripting) Updated client to prevent links on error pages from executing javascript when opening in a new tab. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.0.5 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Message Spoofing) Updated client to prevent displaying non-whitelisted external links on error pages. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.0.6 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Unauthorized Access to API Endpoint) Updated server to enforce policy permission role restrictions after a server restart. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.0.7 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Unauthorized Access to API Endpoint) Updated server to enforce integration permission restrictions correctly based on the system configuration. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.8.1.1 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Reducing Attack Surface) Moved to stronger algorithms for hashing email invitations, OAuth, and email verification tokens. Thanks to Carlos Tadeu Panato Junior for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.7.3.1 na na 2017-03-23 v3.7.3 and v3.6.5 (Preventing Remote Code Execution) Prevent System Administrator from uploading a SAML certificate into an arbitrary file location. Thanks to Martijn Korse for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.7.0.1 na na 2017-03-16 v3.7.0 and v3.6.3 (Preventing Unauthorized Access to API Endpoint) Updated server to prevent team creation without an authenticated account. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.6.2.1 na na 2017-01-31 v3.6.2 (Preventing Cross-Site Scripting) Updated the server to honor cross-origin settings for websocket connections. Thanks to Alex Garbutt for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.6.0.1 na na 2017-01-16 v3.6.0 and v3.5.2 (Preventing Cross-Site Scripting) Updated client to prevent links on error page from executing code. Thanks to Julien Ahrens for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.5.1.1 na na 2016-11-23 v3.5.1 (Reducing Attack Surface) Fixed a vulnerability where a user can by-pass email verification without needing to receive the email. Thanks to Alyssa Milburn for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.5.1.2 na na 2016-11-23 v3.5.1 (Preventing Cross-Site Scripting and Remote Code Execution) Updated client to prevent certain code files from being executed in the browser window when opened in a file preview. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.4.0.1 na na 2016-09-22 v3.4.0 (Reducing Attack Surface) Added protection against code injection vulnerabilities by overriding and disabling an eval function that allowed strings to be executed as code. Thanks to Kolja Lampe for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App
3.3.0.1 na na 2016-08-16 v3.3.0 (Preventing Message Spoofing) Fixed a vulnerability where a logged in user could use WebSockets to show pop-ups containing messages to users in place of desktop notifications, and also locally modify the appearance of posts. Thanks to Bastian Ike for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.2.0.1 na na 2016-07-16 v3.2.0 (Reducing Information Disclosure) Removed unused personal information from being returned in initial_load API. Thanks to Christer Mjellem Strand and Jonas Arneberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.2.0.2 na na 2016-07-16 v3.2.0 (Protecting Against Denial of Service Vulnerability) Fixed functionality that caused certain posts to freeze a reader’s browser. Thanks to Mohammad Razavi and Steve MacQuiddy for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.2.0.3 na na 2016-07-16 v3.2.0 (Reducing Information Disclosure) Fixed an injection vulnerability that could cause certain LDAP fields to be disclosed. Thanks to Bastian Ike for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.2.0.4 na na 2016-07-16 v3.2.0 (Reducing Attack Surface) Added protection against brute forcing a password change. Thanks to Ashish Pathak for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.1.0.1 na na 2016-06-16 v3.1.0 (Preventing Cross-Site Scripting) Updated server to prevent user from inadvertently including malicious content in theme color code values to execute Javascript code under the user’s credentials. Thanks to Uchida Taishi for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.1.0.2 na na 2016-06-16 v3.1.0 (Reducing Attack Surface) Added rel=’noreferrer noopener’ to all links using target=’_blank’ to reduce potential for cross-site scripting attack. Mattermost Server
3.0.2.1 na na 2016-05-17 v3.0.2 (Reducing Information Disclosure) Remove redundancy of Session ID and Session Token. Session Token limited to allowing login and Session ID limited to revoking sessions. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.1 na na 2016-05-16 v3.0.0 (Preventing Cross-Site Scripting) Sanitized hyperlink values specified by System Administrator in Legal and Support Settings to prevent cross-site scripting attack. Thanks to Uchida Taishi for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.2 na na 2016-05-16 v3.0.0 (Reducing Attack Surface) Limit system to one valid password reset link per user at a time to replace previous system which allowed reuse of password reset links. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy Mattermost Server
3.0.0.3 na na 2016-05-16 v3.0.0 (Reducing Information Disclosure) Deprecated API previously used by unauthenticated accounts to retrieve data on teams available on the server in order to find team URLs needed for login. This functionality is no longer needed in Mattermost 3.0 where users login by server, rather than by team. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.4 na na 2016-05-16 v3.0.0 (Reducing Attack Surface) SSL flag functionality added to SSL cookie placed on computer by Mattermost server under SSL connection, requiring SSL connection before the cookie’s information can be disclosed. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.5 na na 2016-05-16 v3.0.0 (Reducing Attack Surface) Removed unnecessary APIs for System Admin to change username and email address of LDAP users. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.6 na na 2016-05-16 v3.0.0 (Reducing Information Disclosure) Removed the ability for System Console UI to load credential fields stored in `config.json` in order to reduce information disclosure. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.7 na na 2016-05-16 v3.0.0 (Preventing Cross-Site Scripting) Removed ability to use Mattermost redirect URL to run Javascript. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
3.0.0.8 na na 2016-05-16 v3.0.0 (Reducing Attack Surface) Removed unused export APIs to reduce the number of ways a Team Administrator could access account information. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
2.2.0.1 na na 2016-04-16 v2.2.0 Updated server to prevent misuse of user authority from information stored in a user’s browser. Thanks to Jim Hebert of Fitbit Security for contributing to this improvement under the Mattermost responsible disclosure policy Mattermost Server
2.2.0.2 na na 2016-04-16 v2.2.0 (Preventing Cross-Site Scripting) Updated server to prevent malicious content from potentially executing a script under the credentials of a user who clicks a specially crafted link. Thanks to Uchida Ta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
2.2.0.3 na na 2016-04-16 v2.2.0 (Preventing Cross-Site Scripting and Remote Code Execution) Updated server to prevent files from being automatically opened in a browser window, which could be used to attack the system in multiple ways, including being used against the Mattermost desktop application to run programs on an end user’s computer. Thanks to Andreas Lindh contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
2.1.0.1 na na 2016-03-16 v2.1.0 (Preventing Cross-Site Request Forgery) Updated server to prevent malicious content from potentially executing a script under the credentials of a user who clicks a specially crafted link. Thanks to Luke Arntson for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server
1.2.0.1 na na 2015-11-16 v1.2.0 (Protecting Against Denial of Service Vulnerability) Added file upload restrictions to prevent decompression of very large images from eating up very large portions of server memory after upload. Thanks to Paddy Steed for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server

Get the latest security updates delivered to your inbox.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

We use cookies for advertising, social media and analytics purposes. Read about how we use cookies here. By continuing to use this site, you consent to our use of cookies.