Lucene search

MattermostVULNRICHMENT:CVE-2024-37182

HistoryJun 14, 2024 - 8:39 a.m.

CVE-2024-37182 Lack of permissions prompting when opening external URLs

2024-06-1408:39:19

CWE-693

Mattermost

github.com

cve-2024-37182

lack of permissions

external urls

remote attacker

arbitrary programs

4.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim’s system via custom URI schemes.

CNA Affected

[
  {
    "vendor": "Mattermost",
    "product": "Mattermost",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "semver",
        "lessThanOrEqual": "5.7.0"
      },
      {
        "status": "unaffected",
        "version": "5.8.0"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

mattermost.com/security-updates

4.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VULNRICHMENT:CVE-2024-37182