Lucene search

GitHub Advisory DatabaseGHSA-R4FM-G65H-CR54

HistoryFeb 29, 2024 - 12:31 p.m.

Mattermost incorrectly allows access individual posts

2024-02-2912:31:06

CWE-200

GitHub Advisory Database

github.com

mattermost security

unauthorized access

version 8.1.x

data sanitization

plugin vulnerability

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.6

Confidence

High

EPSS

Percentile

9.0%

JSON

Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts’ contents in channels they are not a member of.

Affected configurations

Vulners

Node

mattermostmattermostRange9.0.0–9.4.0

VendorProductVersionCPE
mattermostmattermost*cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mattermost	mattermost	*	cpe:2.3:a:mattermost:mattermost::::::::

References

github.com/advisories/GHSA-r4fm-g65h-cr54

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-1952

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.6

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for GHSA-R4FM-G65H-CR54