CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
13.6%
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail toΒ prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts
Vendor | Product | Version | CPE |
---|---|---|---|
mattermost | mattermost | * | cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:* |
[
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "affected",
"version": "9.8.0"
},
{
"lessThanOrEqual": "9.7.4",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.6.2",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.5.5",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.9.0"
},
{
"status": "unaffected",
"version": "9.8.1"
},
{
"status": "unaffected",
"version": "9.7.5"
},
{
"status": "unaffected",
"version": "9.6.3"
},
{
"status": "unaffected",
"version": "9.5.6"
}
]
}
]