CVE-2023-43754 Permalink previews displayed for posts in archived channels even if users are disallowed to view archived channels

2023-11-2709:11:13

CWE-200

Mattermost

www.cve.org

mattermost

cve-2023-43754

permalink previews

archived channels

settings

security vulnerability

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

Percentile

14.0%

JSON

Mattermost fails to check whether the “Allow users to view archived channels” setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels” setting is disabled.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "7.8.12",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "8.1.3",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.0.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.1.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "9.0.2"
      },
      {
        "status": "unaffected",
        "version": "9.1.1"
      },
      {
        "status": "unaffected",
        "version": "7.8.13"
      },
      {
        "status": "unaffected",
        "version": "8.1.4"
      }
    ]
  }
]