Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneAt11zt00H1:1357013
HistoryOct 01, 2021 - 10:47 p.m.

Mattermost: ABLE TO TRICK THE VICTIM INTO USING A CRAFTED EMAIL ADDRESS FOR A PARTICULAR SESSION AND THEN LATER TAKE BACK THE ACCOUNT

2021-10-0122:47:08
at11zt00
hackerone.com
14

0.001 Low

EPSS

Percentile

33.5%

JSON

Hi
I have found a vulnerability in your website using which i can trick the victim into using a specific email address to login in into the website and him thinking that he is using his own email address and continuing the session and then later we can take back the account and check what are the chats he made
UNDER SOME CIRCUMSTANCES

HOW TO REPRODUCE:-
scenarios - a team admin sends you and the victim a joining link to his team.
it looks like this:-
https://hackerone.cloud.mattermost.com/signup_user_complete/?d={“display_name”:“\u003ch1\u003ea”,“email”:“██████████”,“name”:“main”}&t=cqtkyznxn8e43yagt9fjcsrc4nh6yoqq914in3zg4ykj1jkjbc9bippckjikj4cw

now we can see that there is an Email value and a token value. here the email value doesn’t matter because even if we change it . you will be login as the
email to which the link was send. the token is assigned according to a particular email value
but interesting thing happens when we remove the email value and keep it blank (REFER TO THIS EMAIL)

https://hackerone.cloud.mattermost.com/signup_user_complete/?d={“display_name”:“\u003ch1\u003ea”,“email”:“”,“name”:“main”}&t=cqtkyznxn8e43yagt9fjcsrc4nh6yoqq914in3zg4ykj1jkjbc9bippckjikj4cw

IF we go to the first link it asks us for name and password
BUT if we go to the second link it ask’s for username password and email(HERE things get interesting)
even if we give a different email address to it . you will be signed as the attacker email id and the you can continue the session thinking that its your own email id you are using

Impact

the attacker can use his own invite link and then remove the email value from it and send it to the victim. when the victim clicks he sees 3 fields he give his own email id password and username and continue the session when done he log’s out then the attacker can use forget password to take back his account and look through all of his private messages

STEPS TO REPRODUCE :-

  1. go to the first link you will be asked for username and password(DON’T SUBMIT JUST SEE THE CONTENTS)
    2.go to the second link you will be also asked for email(ENTER ALL THE VALUES )
    3.now if you check the email address it will be different from the original email address (you are using a forged email id) of the attacker

NOW I HAVE RATED IT HIGH BECAUSE USING THIS WE CAN SEE ALL THE CONVERSATION’S HE DID FOR A PARTICULAR SESSION
I WILL ATTACH THE POC BELOW

Related

cve 1
prion 1
osv 2
cvelist 1
nvd 1
cnvd 1
cve
cve
CVE-2021-37862
2021-12-17 17:15:12
prion
prion
Code injection
2021-12-17 17:15:00
osv
osv
BIT-mattermost-2021-37862
2024-03-06 11:05:08
CVE-2021-37862
2021-12-17 17:15:12
cvelist
cvelist
CVE-2021-37862
2021-12-17 16:10:29
nvd
nvd
CVE-2021-37862
2021-12-17 17:15:12
cnvd
cnvd
Mattermost Input Validation Error Vulnerability (CNVD-2021-101986)
2021-12-20 00:00:00

0.001 Low

EPSS

Percentile

33.5%

JSON
Related for H1:1357013
cve1prion1osv2cvelist1nvd1cnvd1