GoogleOSV:GHSA-8F99-G2PJ-X8W3Mattermost crashes web clients via a malformed custom status
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users’ web clients via a malformed custom status.
References
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/41333a0babf565453d89287549bec1e546e75ce7
github.com/mattermost/mattermost/commit/6cbab0f7ece104681f73dd12c75d9f22d567125e
github.com/mattermost/mattermost/commit/a99dadd80c57d376185ca06f8f70919a6f135bc6
github.com/mattermost/mattermost/commit/f84f8ed65f6a5faba974426424b684635455a527
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2024-4182
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%