| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Missing Authorization vulnerability in Mondial Relay WooCommerce - WCMultiShipping WCMultiShipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCMultiShipping: from n/a through 2.3.5. |
| Missing Authorization vulnerability in IT Path Solutions Contact Form to Any API allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form to Any API: from n/a through 1.1.6. |
| Missing Authorization vulnerability in blossomthemes BlossomThemes Email Newsletter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BlossomThemes Email Newsletter: from n/a through 2.2.4. |
| Missing Authorization vulnerability in EasyAzon EasyAzon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EasyAzon: from n/a through 5.1.0. |
| Missing Authorization vulnerability in miniOrange miniorange otp verification allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects miniorange otp verification: from n/a through 4.2.1. |
| Missing Authorization vulnerability in David Vongries Welcome Email Editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Welcome Email Editor: from n/a through 5.0.6. |
| Missing Authorization vulnerability in WPoperation SALERT allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SALERT: from n/a through 1.2.1. |
| Missing Authorization vulnerability in Jose Vega Display custom fields in the frontend – Post and User Profile Fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display custom fields in the frontend – Post and User Profile Fields: from n/a through 1.2.0. |
| Missing Authorization vulnerability in Noah Hearle, Design Extreme We’re Open! allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects We’re Open!: from n/a through 1.45. |
| Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities. |
| A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of.
|
| A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API.
|
| When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.
|
| Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.
|
| Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.
|
| Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps. |
| Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands.
|
| Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API.
|
| Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated.
|
| When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post.
|
