CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In June 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1701 CVE-2017-18907 79 XSS 2020-06-19 2020-06-24
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.
1702 CVE-2017-18906 287 2020-06-19 2020-06-29
4.9
None Remote Medium ??? Partial Partial None
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.
1703 CVE-2017-18905 613 2020-06-19 2020-06-25
5.0
None Remote Low Not required None Partial None
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.
1704 CVE-2017-18904 79 XSS 2020-06-19 2020-06-25
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.
1705 CVE-2017-18903 352 CSRF 2020-06-19 2020-06-25
5.1
None Remote High Not required Partial Partial Partial
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.
1706 CVE-2017-18902 200 +Info 2020-06-19 2020-06-25
5.0
None Remote Low Not required Partial None None
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.
1707 CVE-2017-18901 200 +Info 2020-06-19 2020-06-26
5.0
None Remote Low Not required Partial None None
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.
1708 CVE-2017-18900 74 2020-06-19 2020-06-26
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.
1709 CVE-2017-18899 770 2020-06-19 2020-06-26
5.0
None Remote Low Not required None None Partial
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting.
1710 CVE-2017-18898 404 2020-06-19 2020-06-26
5.0
None Remote Low Not required None None Partial
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.
1711 CVE-2017-18897 601 2020-06-19 2020-06-26
5.8
None Remote Medium Not required Partial Partial None
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.
1712 CVE-2017-18896 732 2020-06-19 2020-06-26
5.0
None Remote Low Not required None Partial None
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.
1713 CVE-2017-18895 200 +Info 2020-06-19 2020-06-26
5.0
None Remote Low Not required Partial None None
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.
1714 CVE-2017-18894 732 Bypass 2020-06-19 2020-06-26
5.5
None Remote Low ??? Partial Partial None
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.
1715 CVE-2017-18893 79 XSS 2020-06-19 2020-06-25
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.
1716 CVE-2017-18892 116 2020-06-19 2020-06-26
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
1717 CVE-2017-18891 601 2020-06-19 2020-06-29
5.8
None Remote Medium Not required Partial Partial None
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link.
1718 CVE-2017-18890 20 2020-06-19 2020-06-29
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.
1719 CVE-2017-18889 20 2020-06-19 2020-06-26
4.0
None Remote Low ??? None Partial None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API.
1720 CVE-2017-18888 89 Sql 2020-06-19 2020-06-26
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts.
1721 CVE-2017-18887 200 +Info 2020-06-19 2020-06-26
5.0
None Remote Low Not required Partial None None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.
1722 CVE-2017-18886 732 Bypass 2020-06-19 2020-06-26
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands.
1723 CVE-2017-18885 269 +Priv 2020-06-19 2020-06-26
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf.
1724 CVE-2017-18884 269 +Priv 2020-06-19 2020-06-30
5.5
None Remote Low ??? Partial Partial None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.
1725 CVE-2017-18883 331 2020-06-19 2020-07-02
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.
1726 CVE-2017-18882 79 XSS 2020-06-19 2020-06-26
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data.
1727 CVE-2017-18881 79 XSS 2020-06-19 2020-06-26
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a goto_location response to a slash command.
1728 CVE-2017-18880 79 XSS 2020-06-19 2020-06-26
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the title_link field of a Slack attachment.
1729 CVE-2017-18879 79 XSS 2020-06-19 2020-06-26
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment.
1730 CVE-2017-18878 732 2020-06-19 2020-06-30
4.0
None Remote Low ??? None None Partial
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session.
1731 CVE-2017-18877 79 XSS 2020-06-19 2020-06-24
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.
1732 CVE-2017-18876 732 2020-06-19 2020-06-29
4.0
None Remote Low ??? Partial None None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file.
1733 CVE-2017-18875 732 2020-06-19 2020-06-29
4.0
None Remote Low ??? None Partial None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.
1734 CVE-2017-18874 22 Dir. Trav. 2020-06-19 2020-06-29
5.5
None Remote Low ??? Partial Partial None
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal.
1735 CVE-2017-18873 20 DoS 2020-06-19 2020-06-29
5.0
None Remote Low Not required None None Partial
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformatted post.
1736 CVE-2017-18872 732 2020-06-19 2020-06-30
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider.
1737 CVE-2017-18871 DoS 2020-06-19 2020-06-26
5.0
None Remote Low Not required None None Partial
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.
1738 CVE-2017-18870 732 2020-06-19 2020-06-29
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case.
1739 CVE-2017-18869 367 2020-06-15 2020-06-17
1.9
None Local Medium Not required None Partial None
A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
1740 CVE-2017-9109 119 Overflow 2020-06-18 2020-07-02
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in adns before 1.5.2. It fails to ignore apparent answers before the first RR that was found the first time. when this is fixed, the second answer scan finds the same RRs at the first. Otherwise, adns can be confused by interleaving answers for the CNAME target, with the CNAME itself. In that case the answer data structure (on the heap) can be overrun. With this fixed, it prefers to look only at the answer RRs which come after the CNAME, which is at least arguably correct.
1741 CVE-2017-9108 119 Overflow 2020-06-18 2020-07-02
5.0
None Remote Low Not required None None Partial
An issue was discovered in adns before 1.5.2. adnshost mishandles a missing final newline on a stdin read. It is wrong to increment used as well as setting r, since used is incremented according to r, later. Rather one should be doing what read() would have done. Without this fix, adnshost may read and process one byte beyond the buffer, perhaps crashing or perhaps somehow leaking the value of that byte.
1742 CVE-2017-9107 119 DoS Overflow 2020-06-18 2020-07-02
5.0
None Remote Low Not required None None Partial
An issue was discovered in adns before 1.5.2. It overruns reading a buffer if a domain ends with backslash. If the query domain ended with \, and adns_qf_quoteok_query was specified, qdparselabel would read additional bytes from the buffer and try to treat them as the escape sequence. It would depart the input buffer and start processing many bytes of arbitrary heap data as if it were the query domain. Eventually it would run out of input or find some other kind of error, and declare the query domain invalid. But before then it might outrun available memory and crash. In principle this could be a denial of service attack.
1743 CVE-2017-9106 119 Overflow 2020-06-18 2020-07-02
5.0
None Remote Low Not required None None Partial
An issue was discovered in adns before 1.5.2. adns_rr_info mishandles a bogus *datap. The general pattern for formatting integers is to sprintf into a fixed-size buffer. This is correct if the input is in the right range; if it isn't, the buffer may be overrun (depending on the sizes of the types on the current platform). Of course the inputs ought to be right. And there are pointers in there too, so perhaps one could say that the caller ought to check these things. It may be better to require the caller to make the pointer structure right, but to have the code here be defensive about (and tolerate with an error but without crashing) out-of-range integer values. So: it should defend each of these integer conversion sites with a check for the actual permitted range, and return adns_s_invaliddata if not. The lack of this check causes the SOA sign extension bug to be a serious security problem: the sign extended SOA value is out of range, and overruns the buffer when reconverted. This is related to sign extending SOA 32-bit integer fields, and use of a signed data type.
1744 CVE-2017-9105 476 Exec Code 2020-06-18 2020-07-02
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in adns before 1.5.2. It corrupts a pointer when a nameserver speaks first because of a wrong number of pointer dereferences. This bug may well be exploitable as a remote code execution.
1745 CVE-2017-9104 400 2020-06-18 2020-07-02
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in adns before 1.5.2. It hangs, eating CPU, if a compression pointer loop is encountered.
1746 CVE-2017-9103 119 Overflow 2020-06-18 2020-07-02
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in adns before 1.5.2. pap_mailbox822 does not properly check st from adns__findlabel_next. Without this, an uninitialised stack value can be used as the first label length. Depending on the circumstances, an attacker might be able to trick adns into crashing the calling program, leaking aspects of the contents of some of its memory, causing it to allocate lots of memory, or perhaps overrunning a buffer. This is only possible with applications which make non-raw queries for SOA or RP records.
1747 CVE-2016-11084 352 XSS CSRF 2020-06-19 2020-06-23
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.
1748 CVE-2016-11083 79 XSS 2020-06-19 2020-06-25
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.
1749 CVE-2016-11082 79 XSS 2020-06-19 2020-06-25
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.
1750 CVE-2016-11081 200 +Info 2020-06-19 2020-06-25
4.0
None Remote Low ??? Partial None None
An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.
Total number of vulnerabilities : 1786   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 (This Page)36
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.