Lucene search
MattermostCVELIST:CVE-2023-35075HistoryNov 27, 2023 - 9:09 a.m.
CVE-2023-35075 HTML injection via channel autocomplete
2023-11-2709:09:19
CWE-74
Mattermost
www.cve.org
1
mattermost
html injection
channel autocomplete
cve-2023-35075
innertext
textcontent
webapp
xss
3.1 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
0.0004 Low
EPSS
Percentile
14.2%
Mattermost fails to useย innerText /ย textContentย when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victimโs page by create a channel name that is valid HTML. No XSS is possible though.
CNA Affected
[
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "8.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.8.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.13"
},
{
"status": "unaffected",
"version": "8.1.4"
}
]
}
]References
Related
osv
osv
CVE-2023-35075
2023-11-27 10:15:07
CGA-g7w9-f9fj-j6gv
2024-06-24 14:34:05
Mattermost Injection vulnerability
2023-11-27 12:30:54
github
github
Mattermost Injection vulnerability
2023-11-27 12:30:54
prion
prion
Hardcoded credentials
2023-11-27 10:15:00
veracode
veracode
Cross Site Scripting
2023-11-28 08:53:42
cve
cve
CVE-2023-35075
2023-11-27 10:15:07
nvd
nvd
CVE-2023-35075
2023-11-27 10:15:07
3.1 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
0.0004 Low
EPSS
Percentile
14.2%
Related for CVELIST:CVE-2023-35075