CVE-2024-1402

2024-02-0916:15:07

Google

osv.dev

mattermost

custom emoji

vulnerability

mobile app

security issue

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

4.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post.

CPENameOperatorVersion
mattermosteq9.2.0-rc2
mattermosteq@mattermost/[email protected]
mattermosteq9.2.3
mattermosteq9.2.3-rc1
mattermosteq@mattermost/[email protected]
mattermosteq9.2.2
mattermosteq9.2.1
mattermosteq9.2.0

Name	Operator	Version
mattermost	eq	9.2.0-rc2
mattermost	eq	@mattermost/[email protected]
mattermost	eq	9.2.3
mattermost	eq	9.2.3-rc1
mattermost	eq	@mattermost/[email protected]
mattermost	eq	9.2.2
mattermost	eq	9.2.1
mattermost	eq	9.2.0