CVE-2023-2000: Security Updates

MMSA-2023-00159 Medium >=v5.34.0 2023-04-27 v7.1.9, 7.8.4, 7.9.3, 7.10.0

Details on the security update will be posted here on May 29th, as per our Responsible Disclosure Policy.

Mattermost Server MMSA-2023-00162 Medium <=v7.9.1, <=v7.8.2, <=v7.7.3, <=v7.1.7 2023-04-12 v7.9.2, 7.8.3, 7.7.4, 7.1.8

Details on the security update will be posted here on May 12th, as per our Responsible Disclosure Policy.

Mattermost Server MMSA-2023-00160 Medium <=v7.9.1, <=v7.8.2, <=v7.7.3, <=V7.1.7 2023-04-12 v7.9.2, 7.8.3, 7.7.4, 7.1.8

Details on the security update will be posted here on May 12th, as per our Responsible Disclosure Policy.

Mattermost Server MMSA-2023-00142 Medium <= 5.2.2 2023-03-30 v5.3.0

(Reducing Attack Surface) Fixed an issue where unvalidated Mattermost server redirection could allow opening arbitrary web pages in the desktop app. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App MMSA-2023-00146 High <=v7.7.2, <=v7.8.1, v7.9.0 2023-03-17 v7.9.1, 7.8.2, 7.7.3

(Information Disclosure) Fixed an issue where user passwords and user hashes were revealed in audit logs if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). Thanks to Jo Astoreca for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00128 Low <v7.9 2023-03-16 v7.9.0

(Information Disclosure) Fixed an issue where detailed information on teams, including name, display name and description were broadcast over websocket connections to all users with an active websocket connection when archiving a team. Thanks to Daniel Espino Garcia for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2023-00141 Medium <=7.8.0, <=7.7.1, <=7.1.5 2023-03-01 v7.8.1, 7.7.2, 7.1.6

(Information Disclosure) Fixed an issue where message contents from private channels could be returned as part of the embed metadata of a crafted post in a different channel. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2023-00139 High <=7.7.1, <=7.1.5 2023-03-01 v7.8.0, 7.7.2, 7.1.6

(XSS) Fixed an issue where an attacker could attach a malicious SVG file to an item on Mattermost Boards and share it using a direct link to the file. Thanks to Veshraj Ghimire for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2023-00138 Medium <=7.7.1, <=7.1.5 2023-03-01 v7.8.0, 7.7.2, 7.1.6

(Information Disclosure) Fixed an issue where Mattermost sent unsanitized user_updated and post_deleted messages over the websocket connection to some clients in a High Availability installation. Thanks to Kyriakos Ziakoulis and Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2023-00137 Medium <=7.7.1, <=7.1.5 2023-03-01 v7.8.0, 7.7.2, 7.1.6

(Authorization) Fixed an issue where a low-privileged authenticated attacker could construct an email team invite to a private channel the attacker is not a member of. Thanks to BhaRat for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2023-00140 Low >=7.4.0, >=7.5.0, >=7.7.0 2023-02-16 v7.8.0

(Input Validation) Fixed an issue where an attacker could create a channel with a specially crafted name to cause a later creation of a group message channel fail in unexpected ways. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2023-00136 Low >=v7.4.0 2022-11-16 v7.5.0

(Information Disclosure) Fixed an issue where a low-privileged authenticated attacker can obtain the full name of a board owner by calling the /plugins/focalboard/api/v2/users API endpoint. Thanks to Foobar7 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Boards MMSA-2023-00135 Medium <=7.5.1, <=7.4.0, <=7.1.4 2022-12-21 v7.5.2, 7.4.1, 7.1.5

(Information Disclosure) Fixed an issue where a low-privileged authenticated user can access the Playbook Runs API to get a list of playbook runs and to access detailed information of playbook runs. Thanks to Foobar7 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Plugins MMSA-2023-00134 Medium <=7.5.1, <=7.4.0, <=7.1.4 2022-12-21 v7.5.2, 7.4.1, 7.1.5

(Authorization) Fixed an issue where a low-privileged authenticated attacker can edit a playbook belonging to a team they have no access to using the Playbooks API. Thanks to Foobar7 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Plugins MMSA-2023-00133 Low >= v5.12.0 2023-01-16 v7.7.0

(Information Disclosure) Fixed an issue where an authenticated user with team admin privileges could view the team owner email address by invoking the “Regenerate invite ID” API endpoint at /api/v4/teams/[teamId]/regenerate_invite_id, which failed to honor the ShowEmailAddress setting. The ShowEmailAddress setting, when set to False, hides email addresses to all members except system administrators. Thanks to foobar7 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2023-00132 Low >= v5.12.0 2023-01-16 v7.7.0

(Information Disclosure) Fixed an issue where an authenticated user with team admin privileges could view the team owner email address by calling the /api/v4/users/me/teams API endpoint as the ShowEmailAddress setting was not honored by said endpoint. The ShowEmailAddress setting, when set to False, hides email addresses to all members except system administrators. Thanks to foobar7 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2023-00131 Low >= v5.32.0 2023-01-16 v7.7.0

(XSS) Fixed a cross-site scripting vulnerability affecting API endpoints handling the completion of the OAuth flow. Thanks to zerodivisi0n to contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00127 Low <= 7.5 2023-01-16 v7.7.0

(Authorization) Fixed a bug that required a cache purge or server restart for permission schemes to be correctly applied. Thanks to Foobar7 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00122 Medium <=7.5.1, <=7.4.0, <=7.1.4 2022-12-21 v7.5.2, 7.4.1, 7.1.5

(Information Disclosure) Fixed an issue where a Guest User could have bypassed the restrictions and viewed restricted member’s information. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00124 Low <= 7.3 2022-10-14 v7.4.0

(Denial of Service) Fixed an issue where an authenticated user could send multiple requests containing a parameter which could fetch a large amount of data and can crash a Mattermost server. Thanks to DummyThatMatters for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00120 Medium <=7.1.3, <=7.2.0, <=7.3.0 2022-10-14 v7.4.0, v7.3.1, v7.2.1, v7.1.4

(Denial of Service) Fixed an issue where an authenticated user could send multiple requests containing a large payload to the “Out of Office” API endpoint and crash the server. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00118 Medium <=7.1.3, <=7.2.0, <=7.3.0 2022-10-14 v7.4.0, v7.3.1, v7.2.1, v7.1.4

(Denial of Service) Fixed an issue where an authenticated user could send multiple requests containing a large payload to the Update Playbooks API endpoint and crash the server. Thanks to vultza for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00115 Low v7.1.0 2022-08-16 v7.2.0

(Denial of Service) Fixed an issue where a specifically crafted GIF file upload could cause resource exhaustion while processing it thereby causing a server-side Denial of Service. Thanks to Philippe Antoine for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00112 Medium <= 6.3.9, 6.4.x, 6.5.x, 6.6.x, 6.7.x, 7.0.x <= 7.0.1, 7.1.x <= 7.1.2 2022-08-23 v7.2.0, 7.1.3, 7.0.2, 6.3.10

(Information Disclosure) Fixed an issue where some sensitive user information were leaked to the remote server, when a shared channel was configured between two servers. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00113 Low <= 7.0 2022-07-16 v7.1.0

(Denial of Service) Fixed an issue where an authenticated user could upload maliciously crafted image attachments and crash the server if it runs on a minimum recommended hardware requirement. Thanks to Philippe Antoine for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00111 Low <= 7.0 2022-07-16 v7.1.0

(Denial of Service) Fixed an issue where users with permissions to perform bulk import were allowed to bypass the existing limitations and upload emojis of large size, resulting in a client side DOS. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00110 Medium <= 6.3.8, 6.4.x, 6.5.x <= 6.5.1, 6.6.x <= 6.6.1, 6.7 2022-06-13 v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9

(Information Disclosure) Fixed an issue where a Guest user could have bypassed the restrictions and fetch a list of all public channels in the team, inspite of not being part of those channels. Thanks to Rohit KC for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00109 Medium <= 6.3.8, 6.4.x, 6.5.x <= 6.5.1, 6.6.x <= 6.6.1, 6.7 2022-06-13 v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9

(Reducing Attack Surface) Fixed an issue with the default config generation for trusted IP header, which could allow attackers to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers. Thanks to Adam Pritchard for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00108 Medium <= 6.3.8, 6.4.x, 6.5.x <= 6.5.1, 6.6.x <= 6.6.1, 6.7 2022-06-13 v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9

(Information Disclosure) Fixed an issue where team members could gain access to some sensitive information of other users via an API call. Thanks to Elias for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00102 Medium <= 6.3.8, 6.4.x, 6.5.x <= 6.5.1, 6.6.x <= 6.6.1, 6.7 2022-06-13 v7.0.0, 6.7.1, 6.6.2, 6.5.2, 6.3.9

(Denial of Service) Fixed an issue where a maliciously crafted file can bypass the existing size limits during Slack import and could crash the server. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00103 Low <= 5.0 2022-05-16 v5.1.0

(Misconfiguration) Fixed an issue where the file modes set in the Linux *.tar.gz installation package were too permissive. Thanks to Ernst Kloppenburg for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App MMSA-2022-0098 Low < 6.7 2022-05-16 v6.7.0

(Reducing Attack Surface) Fixed an issue where users with Plugin Management permissions were allowed to bypass the restriction and upload any custom plugins, even when the upload plugin config was disabled in the server’s config.json file. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-0089 Low <= 6.4 2022-05-16 v6.7.0

(Denial of Service) Fixed an issue where an authenticated API could have caused resource exhaustion under specific circumstances, resulting in server-side Denial of Service. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00104 Medium 5.x, 6.x <= 6.3.7, 6.4.x <= 6.4.2, 6.5.0, 6.6.0 2022-04-28 v6.6.1, 6.5.1, 6.4.3, 6.3.8

(Denial of Service) Fixed an issue where a maliciously crafted SVG attachment could crash the server. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-00101 Low <= 6.5 2022-04-16 v6.6.0

(Denial of Service) Fixed an issue where an unauthenticated attacker was allowed to send malicious request which could crash the server if the console log level were set to DEBUG. Thanks to TheSecurityDev for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-0095 Medium <= 6.4 2022-03-16 v6.5.0

(Reducing Attack Surface) Fixed an issue where users with permissions to install plugins were allowed to install old versions of plugins from the Marketplace, resulting in being able to exploit any disclosed vulnerabilities. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-0092 Low <= 6.4 2022-03-16 v6.5.0

(Reducing Attack Surface) Fixed an issue where the invitation email was resent as a reminder even after a system administrator invalidated all the pending email invitations leading to reactivation of invalidated tokens. Thanks to mr_anon for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-0094 Medium <= 6.4 2022-03-10 v6.4.2, 6.3.5, 6.2.5, 5.37.9

(Information Disclosure) Fixed an issue where a user with a restricted custom admin role could have bypassed the restrictions and viewed the server logs and server config.json file contents. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-0090 Medium <= 6.4 2022-03-10 v6.4.2, 6.3.5, 6.2.5, 5.37.9

(Denial of Service) Fixed an issue where large images posted by authenticated users could cause resource exhaustion if image proxy was enabled, resulting in server-side Denial of Service. Thanks to Agniva de Sarker for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-0088 Low <= 6.3 2022-02-16 v6.4.0

(Injection) Fixed an issue where registered users with permissions to invite guest users were allowed to inject unescaped HTML content in the email invites. Thanks to Imamul Mursalin for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-0084 Low <= 6.3 2022-02-16 v6.4.0

(Reducing Attack Surface) Fixed an issue where a System Admin was allowed to override certain configurations which were restricted from the System Console. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-0087 Medium <=6.3.2 2022-02-03 v6.3.3, 6.2.3, 6.1.3, 5.37.8

(Denial of Service) Fixed an issue where a maliciously crafted SAML response could crash the server. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-0086 Medium 5.x >= 5.35, 6.x 2022-02-03 v6.3.3, 6.2.3, 6.1.3, 5.37.8

(Denial of Service) Fixed an issue where a maliciously crafted attachment could crash the server. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2022-0082 Medium <=6.3.0 2022-01-21 v6.3.1, 6.2.2, 6.1.2, 5.37.7

(Information Disclosure) Fixed an issue where the team creator’s email address was disclosed to team members via an API call.

Mattermost Server MMSA-2021-0081 Medium <=6.2 2021-12-17 v6.2.1, 6.1.1, 6.0.4, 5.39.3, 5.37.6

(Denial of Service****) Fixed an issue where a specifically crafted file upload could cause resource exhaustion while processing it, resulting in server-side Denial of Service. Thanks to Ada for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0080 Medium <=v0.10.0 2021-12-17 v0.11.0, v0.10.1, v0.9.5, v0.8.4, v0.7.5

(Information Disclosure) Fixed an issue where emails of all users were exposed via one of the Boards APIs. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Boards MMSA-2021-0077 Medium <=v0.10.0 2021-12-17 v0.11.0, v0.10.1, v0.9.5, v0.8.4, v0.7.5

(Authentication) Fixed an issue where the session was not invalidated on the server side when a user logged out of Boards. Thanks to Hagai Wechsler from WhiteSource for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Boards MMSA-2021-0076 Low <6.2 2021-12-16 v6.2.0

(Information Disclosure) Fixed an issue where the contents of an archived channel could be read even when not allowed by configuration.

Mattermost Server MMSA-2021-0075 Low <=6.0 2021-11-16 v6.1.0

(Input Validation) Fixed an issue where a specially crafted message could cause a client-side crash of the web application. Thanks to TheSecurityDev for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0074 Low <= 6.0 2021-11-16 v6.1.0

(Reducing Attack Surface) Fixed an issue where the email address in the invitation token was not properly validated during registration under specific conditions. Thanks to AT1ZT0 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0073 Low <= 6.0 2021-11-16 v6.1.0

(Misconfiguration) Changed the default permissions of the config.json file. Thanks to Matt Moses for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0072 Medium 6.0 2021-11-15 v6.0.3, 5.39.2, 5.38.4, 5.37.4

(Information Disclosure) Fixed an issue where some sensitive information was not properly sanitized before writing to the audit logs. Thanks to Paul Harrison for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0071 Medium 5.x >= 5.36, 6.0 2021-10-27 v6.0.1, v5.39.1, v5.38.3, v5.37.3

(Information Disclosure) Fixed an issue where Boards, when enabled, logged sensitive information at startup. Boards is enabled by default from Mattermost version 6.0 onwards.

Mattermost Server MMSA-2021-0049 Low < 5.0 2021-10-13 v5.0.0

(Misconfiguration) Implemented additional Electron runtime hardening. Thanks to Csaba Fitzl for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App MMSA-2021-0069 Low <= 5.38 2021-09-16 v5.39.0

(Reducing Attack Surface) Fixed an issue where data was not properly sanitised when copied and pasted on Mattermost. Thanks to intrigus for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0062 Low <= 5.37 2021-08-16 v5.38.0

(Reducing Attack Surface) Fixed an issue where an old email confirmation token was not properly invalidated under specific conditions. Thanks to akash-hamal for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0061 Low <= 5.37 2021-08-16 v5.38.0

(Input Validation) Fixed an issue where email addresses were not properly sanitized during registration. Thanks to sekharlee for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0064 Medium All 2021-08-04 v5.35.5, v5.36.2, v5.37.1, and v5.38.0

(Authorization) Fixed an issue where an authenticated user was able to access the contents of arbitrary posts under specific conditions. Thanks to Adrian (thiefmaster) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0063 Medium <= 4.7 2021-08-03 v4.7.1

(Reducing Attack Surface) Enabled global sandboxing to increase security in the Desktop App. Thanks to p3rr0 for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App MMSA-2021-0059 Low <= 4.6 2021-06-23 v4.7.0

(Input Validation) Fixed an issue where a specially crafted link bypassed security checks and allowed opening arbitrary web pages within the desktop app. Thanks to Elnerd for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App MMSA-2021-0058 Medium <= 4.6 2021-06-23 v4.7.0

(Remote Code Execution) Changed the default choice for security dialogs to prevent unintentional approval of dangerous actions. Thanks to RyotaK for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App MMSA-2021-0057 Medium <= 4.6 2021-06-23 v4.7.0

(Remote Code Execution) Upgraded Electron to prevent latest vulnerabilities. Thanks to Aaditya Purani for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App MMSA-2021-0055,
CVE-2021-37859 High v5.32 to v5.36 2021-06-21 v5.34.5, v5.35.4, v5.36.1, and v5.37.0

(XSS) Fixed a bypass for a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost. Thanks to Andrea zi0Black Cappa of Shielder for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0056 Low <= v1.43 2021-06-16 v1.44.0

(Phishing) Fixed an issue on Android where a malicious app could masquerade as part of the Mattermost app. Thanks to Sheikh Rishad for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps MMSA-2021-0054 High v1.6.0 to v1.40.0 2021-06-16 v1.44.0

(Injection) Fixed an issue on Android where a malicious app installed on the device could write arbitrary files in Mattermost directories. Thanks to edu for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps MMSA-2021-0055,
CVE-2021-37859 High v5.32 to v5.35 2021-06-11 v5.33.5, v5.34.4, v5.35.3, and v5.36.0

(XSS) Fixed a reflected cross-site scripting vulnerability affecting OAuth-enabled instances of Mattermost. Thanks to Andrea zi0Black Cappa of Shielder for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0052 Low <=5.34 2021-05-16 v5.35.0

(Authorization) Fixed a bug that required a cache purge or server restart for channel moderation changes to be correctly applied. Thanks to Pawan Lal for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0051 Medium <=5.34 2021-05-16 v5.35.0

(Authorization) Improved the password generation logic used during the bulk user import process. Thanks to redacted for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0050 Low v5.30 to v5.34 2021-05-16 v5.35.0

(Authorization) Fixed an issue where a specific read-only admin permission could allow the creation of new S3 buckets. Thanks to Martin Kraft for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0048 High mattermost-plugin-autolink <= 1.2.1, mattermost-plugin-github <=2.0.0 2021-04-17 mattermost-plugin-autolink 1.2.2, mattermost-plugin-github 2.0.1

(Authorization) Fixed an issue where crafted HTTP requests could bypass specific plugin access controls. Thanks to Erlend Leiknes from mnemonic as for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Plugins MMSA-2021-0046 Low <v5.33 2021-03-16 v5.33.0

(Authorization) Fixed an issue where demoting a user to a guest would not take immediate effect in an environment with read replicas. Thanks to Dibyajyoti Dutta for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0045 Low <v5.33 2021-03-16 v5.33.0

(Reducing Attack Surface) Fixed an issue where specific potentially sensitive HTTP responses could end up being cached by proxy servers. Thanks to Paal Braathen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0044 Low <v5.33 2021-03-16 v5.33.0

(Reducing Attack Surface) Removed an undocumented feature which allowed system admins to set a new password without asking for the old password. Thanks to Pabloß for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0043 Low <v5.33 2021-03-16 v5.33.0

(Input Validation) Fixed an issue where maliciously crafted text in a post could lead to limited client-side Denial of Service. Thanks to Douglas Banyai for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2021-0042 High v1.6.0 to v1.40.0 2021-03-16 v1.41.0

(Injection) Fixed an issue on Android where a malicious app installed on the device could write arbitrary files in Mattermost directories. Thanks to Sunny Kumar for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps MMSA-2021-0041 Low v1.39.0 and earlier 2021-02-25 v1.40.0

(Misconfiguration) Fixed an issue where API requests could be unintentionally cached locally on iOS.

Mattermost Mobile Apps MMSA-2021-0047 Low All 2021-02-16 v5.32.0

(Input Validation) Fixed an issue where a user coming to Mattermost through OAuth could be maliciously redirected to an external website. Thanks to sbruckmann for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0038 Low All 2021-02-16 v5.32.0

(Authorization) Fixed an issue where a user with a specific custom admin role could remove permissions from a system admin. Thanks to Martin Kraft for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0039 Low All 2021-01-16 v5.31.0

(Input Validation) Improved input validation in image proxy component for URLs. Thanks to Dibyajyoti Dutta (djxploit) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0040 Low All 2020-12-16 v5.30.0

(Authorization) Fixed an issue where high-availability configurations of Mattermost partially failed to enforce permission level changes during an active session. Thanks to Leandro Chaves (brdoors3) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0030 Critical v5.20.x to v5.29.0, excluding v5.28.2, 5.27.2, and 5.25.7 2020-12-03 v5.29.1, 5.28.2, 5.27.2, 5.25.7

(Authorization) Disabled the xmlsec1-based SAML library in favor of the re-enabled and improved SAML library. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0028 Low All 2020-09-16 v5.27.0

(Denial of Service) Fixed an issue where specifically crafted file uploads could consume large amounts of memory. Thanks to Claudio Costa for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0030 High v5.20.x to v5.26.x, excluding v5.25.5 and v5.26.2 2020-09-03 v5.25.5, 5.26.2

(Authorization) Forcefully disabled the experimental SAML implementation. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0025 Low All 2020-07-16 v1.33.0

(Denial of Service) Fixed an issue where specifically crafted Markdown could crash the Android version of the application. Thanks to Jorge Ferreira and Patrick Sukop from Blaze Information Security for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps MMSA-2020-0024 Low All 2020-07-16 v5.25.0

(Authorization) Fixed an issue where plugins could fail to enforce team-level permissions under specific circumstances. Thanks to Christopher Speller for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0027 High All 2020-07-13 v4.5.1

(Third Party Library Vulnerability) Fixed Electron security issues CVE-2020-15096, CVE-2020-4077, CVE-2020-4075, and CVE-2020-4076.

Mattermost Desktop App MMSA-2020-0023 Low All 2020-06-16 v5.24.0

(Denial of Service) Fixed an issue where a large crafted Markdown message could have caused high resource consumption in the client. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0019 Low All 2020-06-16 v5.24.0

(Information Disclosure) Fixed an issue where authenticated users could gain access to private teams for a limited time in some configurations. Thanks to Jonathan (0xghostwriter) for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0022 High v1.31.0 2020-05-27 v1.31.2

(Information Disclosure) Fixed an issue where 1.31.0 Build 293 of the iOS app could leak authorization tokens to 3rd-party servers under specific configurations. A newer unaffected build was already available prior to discovering this issue. Thanks to Jorge Ferreira, Wilberto Filho and Julio Fort from Blaze Information Security for notifying Mattermost under the responsible disclosure policy.

Mattermost Mobile Apps MMSA-2020-0021 Low v5.22.0, v5.19.2 2020-05-16 v5.23.0

(Denial of Service) Fixed an issue where large webhook requests could send the server into an infinite loop.

Mattermost Server MMSA-2020-0020 Low All 2020-05-16 v5.23.0

(Denial of Service) Fixed an issue where automatic direct message replies could cause an infinite loop leading to Denial of Service. Thanks to Doug Lauder for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0018 High v1.29.0 2020-04-16 v1.30.0

(Information Disclosure) Fixed an issue where authorization tokens could be leaked to 3rd-party servers under specific configurations. Thanks to Mikael Berthe for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps MMSA-2020-0017 Low All 2020-04-16 v5.22.0

(Denial of Service) Fixed an issue with a potential client-side Denial of Service vulnerability in the markdown renderer. Thanks to James Hall from MDSec Labs for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0013 Low All 2020-03-16 v1.29.0

(Information Disclosure) Fixed an issue where the iOS app did not clear SSO cookies and local storage on logout. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Mobile Apps MMSA-2020-0014 Low All 2020-03-16 v5.21.0

(Injection) Fixed an issue with an HTTP path traversal in mmctl. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0005 Low All 2020-03-16 v5.21.0

(Denial of Service) Fixed an issue where unbounded reads from socket could lead to Denial of Service. Thanks to Lev Brouk for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0008 Low All 2020-02-16 v4.4.0

(Reducing Attack Surface) Fixed an issue where unvalidated Mattermost server redirection could allow opening arbitrary web pages in the desktop app. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App MMSA-2020-0007 Low All 2020-02-16 v4.4.0

(Phishing) Fixed an issue where HTTP Basic authentication prompts could be used for phishing. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App MMSA-2020-0006 Medium All 2020-02-16 v4.4.0

(Authorization) Fixed an issue where 3rd-party origins could be granted access to restricted web APIs. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App MMSA-2020-0012 Low All 2020-02-16 v5.20.0

(Authorization) Fixed an issue where the ‘update_team’ WebSocket event could broadcast team details to non-members. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0004 Low All 2020-01-16 v5.19.0

(Information Disclosure) Fixed an issue where the existence of private channels was exposed by get channel by name API. Thanks to Harison Healey for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Server MMSA-2020-0002 Low All 2020-01-16 v5.19.0 (Input validation) Fixed an issue where channels could be renamed to collide with direct messages. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server MMSA-2020-0001 High All 2020-01-16 v5.19.0 (Authorization) Fixed an issue where non-admin users could create trusted OAuth apps. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server MMSA-2020-0001 High All 2020-01-08 v5.18.1, 5.17.3, 5.16.5, 5.9.8 (Authorization) Fixed an issue where non-admin users could create trusted OAuth apps. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.17.2.4 High na 2019-12-18 v5.17.2, 5.16.4, 5.15.4, 5.9.7 (Cross-Site Request Forgery) Fixed an issue where a malicious website could take over user accounts via CSRF in specific server configurations. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.17.2.3 High na 2019-12-18 v5.17.2, 5.16.4, 5.15.4, 5.9.7 (SQL Injection) Fixed an issue where server administrators could inject arbitrary SQL SELECT queries to the database through the SearchAllChannels functionality. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.17.2.2 High na 2019-12-18 v5.17.2, 5.16.4, 5.15.4, 5.9.7 (Improper Access Control) Fixed an issue with configuration files being assigned unnecessarily permissive modes, potentially enabling privilege escalation. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.17.2.1 High na 2019-12-18 v5.17.2, 5.16.4, 5.15.4, 5.9.7 (Improper Access Control) Fixed an issue where changing a channel’s type allowed logged-in users to spoof a direct message channel between two users in specific conditions. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.18.0.7 na na 2019-12-16 v5.18.0 (Denial of Service) Fixed an issue where a large Slack import could cause the server to run out of memory, leading to Denial of Service. Thanks to Abhisek Datta (abhisek) for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.18.0.6 Low na 2019-12-16 v5.18.0 (Improper Access Control) Fixed an issue where server-local file storage was assigning unnecessarily permissive modes to files and directories. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.18.0.5 Low na 2019-12-16 v5.18.0 (Improper Access Control) Fixed an issue where users could send ‘user_typing’ WebSocket events to arbitrary channels. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.18.0.4 High na 2019-12-16 v5.18.0 (Cross-Site Request Forgery) Fixed an issue where a malicious website could take over user accounts via CSRF in specific server configurations. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.18.0.3 High na 2019-12-16 v5.18.0 (SQL Injection) Fixed an issue where server administrators could inject arbitrary SQL SELECT queries to the database through the SearchAllChannels functionality. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.18.0.2 High na 2019-12-16 v5.18.0 (Improper Access Control) Fixed an issue with configuration files being assigned unnecessarily permissive modes, potentially enabling privilege escalation. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.18.0.1 High na 2019-12-16 v5.18.0 (Improper Access Control) Fixed an issue where changing a channel’s type allowed logged-in users to spoof a direct message channel between two users in specific conditions. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 1.26.0.5 Low na 2019-12-16 v1.26.0 (Input Validation) Fixed an issue where specifically crafted replies via the quick reply functionality could cause unexpected behavior. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps 1.26.0.4 Medium na 2019-12-16 v1.26.0 (Information Disclosure) Fixed an issue where cookie data was not cleared from the device on logout. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps 1.26.0.3 Low na 2019-12-16 v1.26.0 (Information Disclosure) Fixed an issue where web view caches were not cleared from the device on logout. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps 1.26.0.2 Medium na 2019-12-16 v1.26.0 (Path Traversal) Fixed an issue where video preview functionality could be used to overwrite arbitrary files on the device. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps 1.26.0.1 Low na 2019-12-16 v1.26.0 (Information Disclosure) Fixed an issue where sensitive data such as server addresses and message contents could end up in local device logs. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Mobile Apps na na na 2019-11-19 v5.16.3 (Reducing Attack Surface) Fixed an issue where a Droplet could expose a vulnerable service to the internet, potentially leading to a remote code execution attack on the server. Mattermost Packages 5.17.0.1 Medium na 2019-11-16 v5.17.0 (Denial of Service) Fixed an issue where a specifically crafted latex message could cause a client-side crash of the web application. Mattermost Server 5.16.1.1 High na 2019-10-24 v5.16.1, 5.15.2, 5.14.5, 5.9.6 (Information Disclosure) Fixed an issue where a legacy attachment migration could lead to leakage of other local files on upgraded and not upgraded legacy systems. Thanks to Roman Shchekin for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.3.0.1 Medium na 2019-10-17 v4.3.0 (Code Injection) Fixed an issue with Mattermost macOS client dylib injection vulnerability. Thanks to Csaba Fitzl for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App 5.16.0.1 na na 2019-10-16 v5.16.0 (Denial of Service) Fixed an issue where posts with several thousand backsticks hung markdown renderer. Mattermost Server 5.15.0.2 na na 2019-09-16 v5.15.0 (Denial of Service) Fixed an issue where some APIv4 endpoints were not handling special characters of SQL like-statement which could lead to ReDoS (high CPU usage in database server). Thanks to Roman Shchekin for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.15.0.1 na na 2019-09-16 v5.15.0 (Improper Access Control) Fixed an issue where Access control restriction could be bypassed via a specially crafted input during login. Thanks to Roman Shchekin for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.13.3.1 na na 2019-08-22 v5.13.3, 5.12.6, 5.9.4 (Denial of Service) Fixed an issue where a specifically constructed SVG could be uploaded which would cause the web and desktop apps to freeze when viewing that channel. Thanks to severus for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.14.0.1 Medium na 2019-08-16 v5.14.0 (Denial of Service) Fixed an issue where a specifically constructed SVG could be uploaded which would cause the web and desktop apps to freeze when viewing that channel. Thanks to severus for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.2.2.1 High na 2019-08-07 v4.2.2 (Remote Code Execution) Mitigated a remote code execution vulnerability where a specifically crafted link could invoke code in specific circumstances. Thanks to Juho Nurminen for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App 5.13.0.2 Low na 2019-07-16 v5.13.0 (Authorization) Enforced team membership when fetching slash commands that are enabled for a team. Thanks to Ashish Padelkar for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.13.0.1 Low na 2019-07-16 v5.13.0 (Authorization) Added more explicit checks for incoming webhook creation. Thanks to Aryan Rupala for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.13.0.3 na na 2019-07-16 v5.13.0 (Authorization) Fixed an issue with GitHub plugin where user was able to attach their Mattermost account to a victim’s GitHub account. Thanks to Christopher Speller for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Plugins 5.11.1.1 na na 2019-06-21 v5.11.1, 5.10.2, 5.9.2, 4.10.10 (CSRF) Added protection against CSRF attacks on the login page. Thanks to Zonduu for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.12.0.2 Medium na 2019-06-16 v5.12.0 (CSRF) Added protection against CSRF attacks on the login page. Thanks to Zonduu for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.12.0.1 Low na 2019-06-16 v5.12.0 (Input Validation) Added a configuration flag to explicitly enable Source IP overwrites using proxy overwrite headers. Thanks to prefix for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.11.0.2 Low na 2019-05-16 v5.11.0 (Denial of Service) Fixed an issue where a specific post could prevent loading all posts in that channel. Thanks to vincentbab for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.11.0.1 na na 2019-05-16 v5.11.0 (Input Validation) Moved generation of invite ids to a more secure function. Thanks to Bruno Bierbaumer for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.9.1.1 na na 2019-04-24 v5.9.1, 5.8.2, 4.10.9 (Authorization) Fixed an issue where Update/Patch Channel endpoint could accept changes from non-members for private channels. Thanks to Leandro Chaves for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.10.0.2 High na 2019-04-16 v5.10.0 (Authorization) Fixed an issue where Update/Patch Channel endpoint could accept changes from non-members for private channels. Thanks to Leandro Chaves for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.10.0.1 Medium na 2019-04-16 v5.10.0 (Input Validation) Fixed an issue where a user could modify the file IDs of a POST without showing the edited flag. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.9.0.8 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Denial of Service) A case of catastrophic backtracking within the Markdown library. Thanks to esosnov for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.9.0.7 Medium na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Reducing Attack Surface) Added additional protection against SSRF attacks to services running on the Mattermost server itself. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.9.0.6 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Information Disclosure) An information disclosure related to user activation/deactivation, where session information of the admin could be leaked to the system user. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.9.0.5 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Information Disclosure) An information disclosure related to role changes, where session information of the admin could be leaked to the system user. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.9.0.4 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Reducing Attack Surface) Invalidated tokens for password resets when a eMail change is being executed. Thanks to mga_bobo for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.9.0.3 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Denial of Service) A user was able to deactivate himself when the option was disabled. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.9.0.2 Low na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Authorization) Enhanced the authentication flow to avoid disclosing whether a user had two-factor authentication enabled or not. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.9.0.1 na na 2019-03-16 v5.9.0, 5.8.1, 5.7.3, 4.10.8 (Phishing) Enhanced eMail verification when change is attempted from within the application. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.8.0.6 na na 2019-02-16 v5.8.0, 5.7.2, 5.6.5, 4.10.7 (Reducing Attack Surface) User was allowed to modify Email address without re-entering their credentials. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.8.0.4 na na 2019-02-16 v5.8.0, 5.7.2, 5.6.5, 4.10.7 (Denial of Service) Added mitigation to the possibility of high memory usage through external requests caused by OpenGraph data. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.8.0.8 Low na 2019-02-16 v5.8.0 (Input Validation) Applied login attempt to MFA to prevent brute forcing. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.8.0.7 na na 2019-02-16 v5.8.0 (Authorization) Anyone could join an open team even when a domain was specified. Thanks to Elias Nahum for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.8.0.5 na na 2019-02-16 v5.8.0 (Authorization) Users could pin/unpin posts when the experimental “read only Town Square” configuration setting was enabled. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.8.0.3 na na 2019-02-16 v5.8.0 (Reducing Attack Surface) Removed the ability for a single file to become partly attached to multiple posts. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.8.0.2 na na 2019-02-16 v5.8.0 (Information Disclosure) Added automatic robots.txt file to prevent search engines crawling Mattermost by default. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.8.0.1 na na 2019-02-16 v5.8.0 (Reducing Attack Surface) Improved the creation flow for the first user to make it harder to accidentally make a user system admin. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.7.1.1 na na 2019-02-01 v5.7.1, 5.6.4, 5.5.3 and 4.10.6 (Information Disclosure) A registered user was allowed to receive posts within the team without the required permissions through the flags API. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.7.0.3 na na 2019-01-16 v5.7, 5.6.3, 5.5.2, 4.10.5 (Denial of Service) A malicious outgoing webhook or slash command integration could cause the server to run out of memory. Thanks to Boyd Ansems of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.7.0.1 na na 2019-01-16 v5.7, 5.6.3, 5.5.2, 4.10.5 (Authorization) The permissions required for a user to create a user access token were unclear so they could be configured incorrectly when setting up Mattermost. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.7.0.2 na na 2019-01-16 v5.7 (Information Disclosure) A user who could not view other users’ email addresses could confirm a user has a known email address. Thanks to Rohitesh Gupta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.4.0.1 na na 2018-10-16 v5.4.0 (Authorization) The client could hold and send unnecessary authentication credentials. Thanks to Christopher Speller for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.3.0.2 na na 2018-09-16 v5.3.0 (Reducing Attack Surface) Fixed a potential timing attack. Thanks to Ben Burke for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.3.0.1 na na 2018-09-16 v5.3.0 Alpine Linux was updated to fix a vulnerability reported responsibly to the Alpine Linux project by Max Justicz. Mattermost Server 5.2.0.3 na na 2018-09-16 v5.2.2, 5.1.2, 4.10.4 (Denial of Service) A specially-crafted image with large dimensions and a small file size could be uploaded as an emoji, causing the server to use excess amounts of memory and possibly crash. Thanks to Soroush Dalili from NCC Group for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.2.0.2 na na 2018-08-16 v5.2, 5.1.1 (Authorization) “updateChannel“ endpoint would not check if the channel ID is the same in params and body. Thanks to Đặng Minh Trí for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.2.0.1 na na 2018-08-16 v5.2, 5.1.1, 5.0.3, 4.10.3 (Authorization) Users would be able to bypass email signup domain restriction by listing multiple emails. Thanks to Đặng Minh Trí for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.1.1.5 na na 2018-07-16 v5.1, 5.0.2, 4.10.2 (Authorization) “invite_people“ slash command would allow any logged in user to invite users to the team/server without checking the relevant permissions. Thanks to Daniel Schalla for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.1.1.6 na na 2018-07-16 v5.1 (Authorization) Message slash command would allow user to create direct message channels without the requisite permission being granted. Thanks to Daniel Schalla for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.1.1.4 na na 2018-07-16 v5.1 (Authorization) Channel PATCH API would allow modification of Direct and Group message channels by users who were not a member of those channels. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.1.1.3 na na 2018-07-16 v5.1 (Authorization) Group message slash command would allow user to create group message channels without the requisite permission being granted. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.1.1.2 na na 2018-07-16 v5.1 (Authorization) Channel header slash command API could be exploited to set the header of Direct Message and Group Message channels as a user who does not have access to those channels. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 5.1.1.1 na na 2018-07-16 v5.1 (Denial of Service) “/invite_people“ slash command could be used to cause a DOS attack. Thanks to Daniel Schalla for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.10.1.1 na na 2018-06-04 v4.10.1, 4.9.4, 4.8.2 (Denial of Service) Viewing a channel containing a malformed link could cause the app to freeze. Thanks to Eric Sethna for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.8.1.2 na na 2018-04-09 v4.8.1, 4.7.4, 4.6.3 (Information Disclosure) A System Admin editing a user would unintentionally send a Websocket event with the user’s email address and other personal information ignoring the privacy settings. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.8.1.1 na na 2018-04-09 v4.8.1, 4.7.4, 4.6.3 (Authorization) The team invite_id was disclosed through email invites, allowing a user to invite themselves repeatedly to a team and invite others. Thanks to Jesús Espino for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.0.1.1 na na 2018-03-28 v4.0.1 (Reducing Attack Surface) Node.js was allowed to be re-enabled in some Electron applications that disable it. This vulnerability was found and reported responsibly to the Electron project by Brendan Scarvell of Trustwave SpiderLabs. Mattermost Desktop App 4.7.3.1 na na 2018-03-09 v4.7.3 (Denial of Service) Viewing a post containing invalid Latex code would cause an error that crashed the app. Thanks to Jan Wissmann for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.7.0.1 na na 2018-02-23 v4.7.0, 4.6.2, 4.5.2 (Authorization) SAML responses could be used beyond their expiration dates and maliciously crafted SAML responses could allow users to authenticate as any other user. Thanks to Brad Berkemier for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.0.0.1 na na 2018-01-30 v4.0.0 (Reducing Attack Surface) Use setPermissionRequestHandler to request permissions for various actions such as video/audio usage and notifications from untrusted origins. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App 4.5.0.2 na na 2017-12-16 v4.5.0, 4.4.5, 4.3.4 (Authorization) When configured to allow non-admins to create webhooks (“EnableOnlyAdminIntegrations” set to false), users were able to forge requests that allow them to edit other users’ webhooks. Thanks to Linda Mitchell for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.5.0.1 na na 2017-12-16 v4.5.0, 4.4.5, 4.3.4, 4.2.2 (Denial of Service) Viewing a post containing @ followed by certain built-in JavaScript field names would cause an error that crashes the app. Thanks to Tobias Gruetzmacher for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.4.0.1 na na 2017-12-05 v4.4.3, 4.3.3 (Authorization) When using Mattermost as an OAuth 2.0 service provider and allowing non-admin users to manage integrations (“EnableOnlyAdminIntegrations” set to false), an attacker with a user account could forge a request allowing the updating of an OAuth app’s name, description, icon, homepage and callback URLs. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.3.0.1 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Denial of Service) Fixed an issue where improperly formatted posts could cause the channel to not appear. Mattermost Server 4.3.0.2 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Input Validation) Fixed an issue allowing users with System Admin permissions upwards path traversal, arbitrary file creation and boolean file checking on systems using local storage for files. Systems using other file storage methods allowed only arbitrary file creation and boolean file checking. Mattermost Server 4.3.0.3 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Cross-site Scripting) Fixed an issue where script could be injected into the allow/deny OAuth 2.0 page. Mattermost Server 4.3.0.4 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Authentication) Fixed a vulnerability where any logged in user could revoke another user’s session if they had somehow obtained the session ID. Mattermost Server 4.3.0.5 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Cross-site Scripting) Prevented author_link and title_link fields in Slack attachments from containing JavaScript links. Mattermost Server 4.3.0.6 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Cross-site Scripting) Prevented JavaScript injection using the goto_location response to a slash command. Mattermost Server 4.3.0.7 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Cross-site Scripting) Prevented JavaScript injection using OpenGraph data received from a malicious web page. Mattermost Server 4.3.0.8 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Authorization) Prevented code prediction and possible access to user accounts due to weak entropy in authorization code generation when using Mattermost as an OAuth 2.0 Service Provider. Mattermost Server 4.3.0.9 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Authorization) Prevented registered OAuth applications from being able to privilege escalate with personal access tokens or by accessing other API endpoints on behalf of the user. Mattermost Server 4.3.10 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Input Validation) Prevented users from executing slash commands against a channel that belongs to a team in which they don’t have permission to use slash commands. Mattermost Server 4.3.11 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Information Disclosure) Fixed the team creators email being returned to team members with the team object Mattermost Server 4.3.12 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Reducing Attack Surface) Prevented potential SQL injection by parameterizing the SQL query used for fetching multiple posts from the database. Mattermost Server 4.3.13 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Input Validation) Fixed a vulnerability where users could create fake system message posts via webhooks and slash commands through the v3 and v4 REST API Mattermost Server 4.3.14 na na 2017-10-16 v4.3.0, 4.2.1, 4.1.2 (Input Validation) Fixed a vulnerability where action buttons could be crafted to execute certain API requests on behalf of the user that clicks them. Mattermost Server 4.2.0.1 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Phishing) Removed the ability for error pages to display custom links. Thanks to Andrey Dyatlov for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.2.0.2 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Reducing Attack Surface) Fixed an issue where certain fields in email templates could contain unescaped HTML. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.2.0.3 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Preventing Cross-Site Scripting) Fixed an issue where channel display names containing unescaped HTML would be rendered in posts. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.2.0.4 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Preventing Unauthorized Access) When using Mattermost as an OAuth 2.0 service provider and allowing non-admins to create integrations, users could register OAuth 2.0 applications as trusted and bypass the resource owner authorization step. As a result, the application could gain access to a logged-in Mattermost user who clicks on a link to that application. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.2.0.5 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Preventing Unauthorized Access) REST API version 4 endpoints for getting user statuses did not require active sessions. Information about user statuses could then be revealed to unauthenticated users. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.2.0.6 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Preventing Unauthorized Access) REST API version 3 logging endpoint could allow unauthenticated users to post DEBUG statements to the server logs. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.2.0.7 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Reducing Attack Surface) When using Mattermost as an OAuth 2.0 service provider, a user clicking deny could still be redirected to the provided redirect_uri. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.2.0.8 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Denial of Service) Fixed an issue where certain posts could cause the browser to freeze. Thanks to Johannes Kastenfrosch for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.2.0.9 na na 2017-09-16 v4.2.0, 4.1.1 and 4.0.5 (Reducing Attack Surface) Increased robustness of per-IP-address rate-limiting. Thanks to Chris Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.7.1.1 na na 2017-08-30 v3.7.1 (Reducing Attack Surface) Revoked trust for certificates issued by the StartCom/WoSign Certificate Authorities (CA). Thanks to Aaron Siegel from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App 4.1.0.1 na na 2017-08-16 v4.1.0, 4.0.4 and 3.10.3 (Injection) Fixed a scenario where exporting a compliance report to CSV could allow formulas to run inside other applications, such as Microsoft Excel. Thanks to David Dworken for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.1.0.2 na na 2017-08-16 v4.1.0, 4.0.4 and 3.10.3 (Unauthenticated API Access) Fixed a scenario where team JSON, including team invite IDs, could be retrieved from the server without logging in and using only the team name. Thanks to Đỗ Minh Tuấn and Thanh Nguyen Van Tien for contributing to this improvement under the Mattermost responsible disclosure policy.an Mattermost Server 4.1.0.3 na na 2017-08-16 v4.1.0, 4.0.4 and 3.10.3 (API Data Leak) Fixed a scenario where team invite IDs could be leaked to logged in users through some team API endpoints. Thanks to Đỗ Minh Tuấn and Thanh Nguyen Van Tien for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.0.0.1 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Cross-site Request Forgery) Fixed a scenario where servers with CORS enabled could allow CSRF (cross-site request forgery) from unintended origins. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.0.0.2 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Cross-site Scripting) Updated server to ensure that uploaded non-image files are always downloaded instead of displayed on a browser. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.0.0.3 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Failure to Invalidate Sessions) When using Mattermost as an OAuth 2.0 service provider, deleting a registered OAuth application would not revoke existing sessions in use by that application. New sessions for that application would not be created. Old sessions will still expire after the regular period. Thanks to Lindsay Brock for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.0.0.4 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (SSO Vulnerability) A user with an account on an SSO OAuth2 provider (e.g. GitLab) could forge a request to claim an existing Mattermost account. Only affects Mattermost servers with GitLab single sign-on or Mattermost Enterprise Edition servers with Office365 or G Suite single sign-on enabled. The attack is not stealthy, victim would be notified of the account change by email and would not be able to log in to their account. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.0.0.5 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Cross-site Scripting) Prevented channel header from rendering raw html for users that have post formatting disabled. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 4.0.0.6 na na 2017-07-16 v4.0.0, 3.10.2 and 3.9.2 (Reducing Attack Surface) Updated server to ensure that the password reset email is always sent to the user’s email from the database, not the email entered into the password reset form, to avoid risk of database collation. Thanks to Christopher Brown for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.9.0.1 na na 2017-05-16 v3.9.0 (Reducing Attack Surface) Updated server to enforce encryption and signature verification by default when SAML is enabled. Mattermost Server 3.8.0.1 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Message Spoofing) Fixed a vulnerability where a user can cause email notifications to include arbitrary links. Thanks to Martijn Korse, Jelle Kroon, Ömer Coskun and Bernardo Maia Rodrigues of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.8.0.2 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Reducing Attack Surface) Updated server to prevent skipping the certificate verification when connecting to an email server over TLS. Thanks to Martijn Korse, Jelle Kroon, Ömer Coskun and Bernardo Maia Rodrigues of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.8.0.3 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Remote Code Execution) Updated server to allow only the path for the Mattermost log file instead of the full path and file name. Thanks to Martijn Korse, Jelle Kroon, Ömer Coskun and Bernardo Maia Rodrigues of the KPN Red Team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.8.0.4 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Cross-Site Scripting) Updated client to prevent links on error pages from executing javascript when opening in a new tab. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.8.0.5 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Message Spoofing) Updated client to prevent displaying non-whitelisted external links on error pages. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.8.0.6 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Unauthorized Access to API Endpoint) Updated server to enforce policy permission role restrictions after a server restart. Thanks to George Goldberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.8.0.7 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Preventing Unauthorized Access to API Endpoint) Updated server to enforce integration permission restrictions correctly based on the system configuration. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.8.1.1 na na 2017-04-21 v3.8.2, v3.7.5 and v3.6.7 (Reducing Attack Surface) Moved to stronger algorithms for hashing email invitations, OAuth, and email verification tokens. Thanks to Carlos Tadeu Panato Junior for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.7.3.1 na na 2017-03-23 v3.7.3 and v3.6.5 (Preventing Remote Code Execution) Prevent System Administrator from uploading a SAML certificate into an arbitrary file location. Thanks to Martijn Korse for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.7.0.1 na na 2017-03-16 v3.7.0 and v3.6.3 (Preventing Unauthorized Access to API Endpoint) Updated server to prevent team creation without an authenticated account. Thanks to Joram Wilander for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.6.2.1 na na 2017-01-31 v3.6.2 (Preventing Cross-Site Scripting) Updated the server to honor cross-origin settings for websocket connections. Thanks to Alex Garbutt for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.6.0.1 na na 2017-01-16 v3.6.0 and v3.5.2 (Preventing Cross-Site Scripting) Updated client to prevent links on error page from executing code. Thanks to Julien Ahrens for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.5.1.1 na na 2016-11-23 v3.5.1 (Reducing Attack Surface) Fixed a vulnerability where a user can by-pass email verification without needing to receive the email. Thanks to Alyssa Milburn for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.5.1.2 na na 2016-11-23 v3.5.1 (Preventing Cross-Site Scripting and Remote Code Execution) Updated client to prevent certain code files from being executed in the browser window when opened in a file preview. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.4.0.1 na na 2016-09-22 v3.4.0 (Reducing Attack Surface) Added protection against code injection vulnerabilities by overriding and disabling an eval function that allowed strings to be executed as code. Thanks to Kolja Lampe for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Desktop App 3.3.0.1 na na 2016-08-16 v3.3.0 (Preventing Message Spoofing) Fixed a vulnerability where a logged in user could use WebSockets to show pop-ups containing messages to users in place of desktop notifications, and also locally modify the appearance of posts. Thanks to Bastian Ike for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.2.0.1 na na 2016-07-16 v3.2.0 (Reducing Information Disclosure) Removed unused personal information from being returned in initial_load API. Thanks to Christer Mjellem Strand and Jonas Arneberg for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.2.0.2 na na 2016-07-16 v3.2.0 (Protecting Against Denial of Service Vulnerability) Fixed functionality that caused certain posts to freeze a reader’s browser. Thanks to Mohammad Razavi and Steve MacQuiddy for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.2.0.3 na na 2016-07-16 v3.2.0 (Reducing Information Disclosure) Fixed an injection vulnerability that could cause certain LDAP fields to be disclosed. Thanks to Bastian Ike for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.2.0.4 na na 2016-07-16 v3.2.0 (Reducing Attack Surface) Added protection against brute forcing a password change. Thanks to Ashish Pathak for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.1.0.1 na na 2016-06-16 v3.1.0 (Preventing Cross-Site Scripting) Updated server to prevent user from inadvertently including malicious content in theme color code values to execute Javascript code under the user’s credentials. Thanks to Uchida Taishi for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.1.0.2 na na 2016-06-16 v3.1.0 (Reducing Attack Surface) Added rel=’noreferrer noopener’ to all links using target=’_blank’ to reduce potential for cross-site scripting attack. Mattermost Server 3.0.2.1 na na 2016-05-17 v3.0.2 (Reducing Information Disclosure) Remove redundancy of Session ID and Session Token. Session Token limited to allowing login and Session ID limited to revoking sessions. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.0.0.1 na na 2016-05-16 v3.0.0 (Preventing Cross-Site Scripting) Sanitized hyperlink values specified by System Administrator in Legal and Support Settings to prevent cross-site scripting attack. Thanks to Uchida Taishi for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.0.0.2 na na 2016-05-16 v3.0.0 (Reducing Attack Surface) Limit system to one valid password reset link per user at a time to replace previous system which allowed reuse of password reset links. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy Mattermost Server 3.0.0.3 na na 2016-05-16 v3.0.0 (Reducing Information Disclosure) Deprecated API previously used by unauthenticated accounts to retrieve data on teams available on the server in order to find team URLs needed for login. This functionality is no longer needed in Mattermost 3.0 where users login by server, rather than by team. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.0.0.4 na na 2016-05-16 v3.0.0 (Reducing Attack Surface) SSL flag functionality added to SSL cookie placed on computer by Mattermost server under SSL connection, requiring SSL connection before the cookie’s information can be disclosed. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.0.0.5 na na 2016-05-16 v3.0.0 (Reducing Attack Surface) Removed unnecessary APIs for System Admin to change username and email address of LDAP users. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.0.0.6 na na 2016-05-16 v3.0.0 (Reducing Information Disclosure) Removed the ability for System Console UI to load credential fields stored in `config.json` in order to reduce information disclosure. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.0.0.7 na na 2016-05-16 v3.0.0 (Preventing Cross-Site Scripting) Removed ability to use Mattermost redirect URL to run Javascript. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 3.0.0.8 na na 2016-05-16 v3.0.0 (Reducing Attack Surface) Removed unused export APIs to reduce the number of ways a Team Administrator could access account information. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 2.2.0.1 na na 2016-04-16 v2.2.0 Updated server to prevent misuse of user authority from information stored in a user’s browser. Thanks to Jim Hebert of Fitbit Security for contributing to this improvement under the Mattermost responsible disclosure policy Mattermost Server 2.2.0.2 na na 2016-04-16 v2.2.0 (Preventing Cross-Site Scripting) Updated server to prevent malicious content from potentially executing a script under the credentials of a user who clicks a specially crafted link. Thanks to Uchida Ta for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 2.2.0.3 na na 2016-04-16 v2.2.0 (Preventing Cross-Site Scripting and Remote Code Execution) Updated server to prevent files from being automatically opened in a browser window, which could be used to attack the system in multiple ways, including being used against the Mattermost desktop application to run programs on an end user’s computer. Thanks to Andreas Lindh contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 2.1.0.1 na na 2016-03-16 v2.1.0 (Preventing Cross-Site Request Forgery) Updated server to prevent malicious content from potentially executing a script under the credentials of a user who clicks a specially crafted link. Thanks to Luke Arntson for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server 1.2.0.1 na na 2015-11-16 v1.2.0 (Protecting Against Denial of Service Vulnerability) Added file upload restrictions to prevent decompression of very large images from eating up very large portions of server memory after upload. Thanks to Paddy Steed for contributing to this improvement under the Mattermost responsible disclosure policy. Mattermost Server