Lucene search

GitHub Advisory DatabaseGHSA-HV5F-73MR-7VVJ

HistorySep 23, 2021 - 11:11 p.m.

Cross-site Scripting in Mattermost

2021-09-2323:11:06

CWE-79

GitHub Advisory Database

github.com

mattermost

xss

vulnerability

clipboard

web script

product deployments

csp

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

25.9%

JSON

Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP.

Affected configurations

Vulners

Node

mattermostmattermost-serverRange<5.39.0

VendorProductVersionCPE
mattermostmattermost-server*cpe:2.3:a:mattermost:mattermost-server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mattermost	mattermost-server	*	cpe:2.3:a:mattermost:mattermost-server::::::::

References

docs.mattermost.com/install/self-managed-changelog.html#release-v5-39-quality-release

github.com/advisories/GHSA-hv5f-73mr-7vvj

mattermost.com/security-updates/

nvd.nist.gov/vuln/detail/CVE-2021-37860

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

25.9%

JSON

Related for GHSA-HV5F-73MR-7VVJ