Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mattermost 3.5.0 / 3.5.1 Cross Site Scripting

🗓️ 19 Jan 2017 00:00:00Reported by Julien AhrensType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 65 Views

Mattermost Cross-Site Scripting vulnerability in versions 3.5.0 and 3.5.

Code
`RCE Security Advisory  
https://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: Mattermost  
Vendor URL: www.mattermost.org  
Type: Cross-site Scripting [CWE-79]  
Date found: 02/12/2016  
Date published: 16/01/2017  
CVSSv3 Score: 4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)  
CVE: -  
  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
====================  
Mattermost v3.5.1  
Mattermost v3.5.0  
older versions may be affected too.  
  
  
4. INTRODUCTION  
===============  
Mattermost is an open source Slack-alternative built for enterprise.  
Thousands of companies use Mattermost for workplace messaging across  
web, PC and phones with archiving, search, corporate directory  
integration and connectivity to over 700 third party applications.  
Available under MIT license in 11 languages Mattermost offers  
peace-of-mind, value, control, and freedom from lock-in for  
organizations around the world.  
  
  
5. VULNERABILITY DETAILS  
========================  
The Mattermost "/error" page is vulnerable to an unauthenticated  
reflected Cross-Site Scripting vulnerability when user-supplied input to  
the HTTP GET parameter "link" is processed by the web application. Since  
the application does not properly validate and sanitize this parameter,  
it is possible to set the return link, which is part of the error page,  
to a base64 encoded DATA URI. This could be used to execute arbitrary  
JavaScript code in the context of an authenticated as well as  
unauthenticated user.  
  
There is one restriction which reduces the attack likelihood: Due to  
JavaScript validations it is not possible to execute the payload by a  
simple click on the return link, but instead it must be opened in a new  
browser tab or window. However since an attacker does also have all  
other text elements (HTTP GET parameters "title" and "linkmessage") of  
the error page under control, it is possible to perform social  
engineering attacks on the very same page.  
  
The following Proof-of-Concept triggers this vulnerability by injecting  
a base64-encoded data URI and a spoofed content text for the title and  
link message:  
  
https://localhost/error?title=Unknown%20Error&link=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=&linkmessage=http://mattermost.org&message=Something%20went%20wrong%20with%20the%20provided%20link,%20open%20it%20with%20a%20right%20click%20instead!  
  
The payload is afterwards reflected within the response body:  
  
<div class="error__container"><div class="error__icon"><i class="fa  
fa-exclamation-triangle"></i></div><h2>Unknown  
Error</h2><div><p>Something went wrong with the provided link, open it  
with a right click instead!</p>  
</div><a  
href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">http://mattermost.org</a></div>  
  
  
6. RISK  
=======  
To successfully exploit this vulnerability an authenticated or  
unauthenticated user must be tricked into visiting a prepared link  
provided by the attacker. Once on the "/error" page, the user must also  
be tricked into opening the link in a new tab or window, which can be  
accomplished by spoofing the other elements of the error page.  
  
The vulnerability can be used to temporarily embed arbitrary script code  
into the context of the Mattermost error page, which offers a wide range  
of possible attacks such as redirecting the user to a malicious page or  
attacking the browser and its plugins. Since session-relevant cookies  
are protected with the HttpOnly flag, it is not possible to hijack sessions.  
  
  
7. SOLUTION  
===========  
Update to Mattermost v3.6.0.  
  
  
8. REPORT TIMELINE (DD/MM/YYYY)  
===============================  
02/12/2016: Discovery of the vulnerability  
02/12/2016: Created support ticket #2231 with preset disclosure date  
set to 16/01/2017  
12/12/2016: No response, sent out another notification  
12/12/2016: Vendor confirms the vulnerability  
03/01/2017: No further response, sent reminder about the disclosure date  
16/01/2017: Vendor releases v3.6.0 which fixes this vulnerability  
18/01/2017: Advisory released  
  
  
9. REFERENCES  
=============  
-  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Jan 2017 00:00Current
7.4High risk
Vulners AI Score7.4
mattermostcross-site scriptingcve-79rce securitymit licensejavascript validationhttponly flagsolutionversion 3.6.0
65