CVE-2017-18892
published 2020-06-19CVE-2017-18892: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
PriorityP423medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.69%
48.2th percentile
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 0 < 4.0.5 | 4.0.5 |
| github.com | mattermost_mattermost-server | >= 0 < 4.0.5+incompatible | 4.0.5+incompatible |
| github.com | mattermost_mattermost-server | >= 4.1.0 < 4.1.1 | 4.1.1 |
| github.com | mattermost_mattermost-server | >= 4.1.0+incompatible < 4.1.1+incompatible | 4.1.1+incompatible |
| github.com | mattermost_mattermost-server | >= 4.2.0-rc1 < 4.2.0 | 4.2.0 |
| github.com | mattermost_mattermost-server | >= 4.2.0-rc1+incompatible < 4.2.0+incompatible | 4.2.0+incompatible |
| mattermost | mattermost_server | < 4.0.5 | 4.0.5 |
| mattermost | mattermost_server | — | — |
| mattermost | mattermost_server | >= 4.1.0 < 4.1.1 | 4.1.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Mattermost Server does not neutralize HTML content in an Email template field in github.com/mattermost/mattermost-server
osv·2026-01-23
CVE-2017-18892 Mattermost Server does not neutralize HTML content in an Email template field in github.com/mattermost/mattermost-server
Mattermost Server does not neutralize HTML content in an Email template field in github.com/mattermost/mattermost-server
Mattermost Server does not neutralize HTML content in an Email template field in github.com/mattermost/mattermost-server
OSV
Mattermost Server does not neutralize HTML content in an Email template field
osv·2022-05-24
CVE-2017-18892 [MEDIUM] Mattermost Server does not neutralize HTML content in an Email template field
Mattermost Server does not neutralize HTML content in an Email template field
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
GHSA
Mattermost Server does not neutralize HTML content in an Email template field
ghsa·2022-05-24
CVE-2017-18892 [MEDIUM] CWE-116 Mattermost Server does not neutralize HTML content in an Email template field
Mattermost Server does not neutralize HTML content in an Email template field
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-06-19
Published