CVE-2016-11071 — Cross-site Scripting in Mattermost Mattermost-server

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 41.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Mattermost Server

Timeline

PublishedJun 19

Latest updateOct 30

Description

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDmattermost/mattermost_server< 3.1.0

▶Gogithub.com/mattermost_mattermost-server< 3.1.0+incompatible+1

🔴Vulnerability Details

OSV

Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` in github.com/mattermost/mattermost-server↗2025-10-30

▶

OSV

Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener`↗2022-05-24

▶

GHSA

Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener`↗2022-05-24

▶

CVEList

CVE-2016-11071: An issue was discovered in Mattermost Server before 3↗2020-06-19

▶