CVE-2024-1952

2024-02-2910:42:15

CWE-200

Mattermost

github.com

mattermost

permalinks

authenticated attacker

posts content

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts’ contents in channels they are not a member of.

CNA Affected

[
  {
    "vendor": "Mattermost",
    "product": "Mattermost",
    "versions": [
      {
        "status": "affected",
        "version": "8.1.0",
        "versionType": "semver",
        "lessThanOrEqual": "8.1.8"
      },
      {
        "status": "unaffected",
        "version": "9.4"
      },
      {
        "status": "unaffected",
        "version": "8.1.9"
      }
    ],
    "defaultStatus": "unaffected"
  }
]