CVE-2017-18871 — Uncaught Exception in Mattermost Mattermost-server

CWE-248 — Uncaught Exception5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Mattermost Server

Timeline

PublishedJun 19

Latest updateDec 8

Description

An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDmattermost/mattermost_server4.3.0 — 4.3.4+3

▶Gogithub.com/mattermost_mattermost-server4.3.0-rc1+incompatible — 4.3.4+incompatible+7

🔴Vulnerability Details

OSV

Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names in github.com/mattermost/mattermost-server↗2025-12-08

▶

OSV

Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names↗2022-05-24

▶

GHSA

Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names↗2022-05-24

▶

CVEList

CVE-2017-18871: An issue was discovered in Mattermost Server before 4↗2020-06-19

▶