CVE-2017-18890
published 2020-06-19CVE-2017-18890: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an…
PriorityP419medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.77%
51.0th percentile
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 0 < 4.1.2 | 4.1.2 |
| github.com | mattermost_mattermost-server | >= 0 < 4.1.2+incompatible | 4.1.2+incompatible |
| github.com | mattermost_mattermost-server | >= 4.2.0-rc1 < 4.2.1 | 4.2.1 |
| github.com | mattermost_mattermost-server | >= 4.2.0-rc1+incompatible < 4.2.1+incompatible | 4.2.1+incompatible |
| github.com | mattermost_mattermost-server | >= 4.3.0-rc1 < 4.3.0 | 4.3.0 |
| github.com | mattermost_mattermost-server | >= 4.3.0-rc1+incompatible < 4.3.0+incompatible | 4.3.0+incompatible |
| mattermost | mattermost_server | < 4.1.2 | 4.1.2 |
| mattermost | mattermost_server | — | — |
| mattermost | mattermost_server | >= 4.2.0 < 4.2.1 | 4.2.1 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Mattermost Server allows attackers to create buttons that can launch API requests in github.com/mattermost/mattermost-server
osv·2025-12-15
CVE-2017-18890 Mattermost Server allows attackers to create buttons that can launch API requests in github.com/mattermost/mattermost-server
Mattermost Server allows attackers to create buttons that can launch API requests in github.com/mattermost/mattermost-server
Mattermost Server allows attackers to create buttons that can launch API requests in github.com/mattermost/mattermost-server
GHSA
Mattermost Server allows attackers to create buttons that can launch API requests
ghsa·2022-05-24
CVE-2017-18890 [MEDIUM] CWE-20 Mattermost Server allows attackers to create buttons that can launch API requests
Mattermost Server allows attackers to create buttons that can launch API requests
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.
OSV
Mattermost Server allows attackers to create buttons that can launch API requests
osv·2022-05-24
CVE-2017-18890 [MEDIUM] Mattermost Server allows attackers to create buttons that can launch API requests
Mattermost Server allows attackers to create buttons that can launch API requests
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-06-19
Published