CVE-2021-37860 — Cross-site Scripting in Mattermost Mattermost-server V5

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

6.1MEDIUMNVD

CNA3.7

EPSS

0.2%

top 56.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server V5 Mattermost

Timeline

PublishedSep 22

Latest updateAug 21

Description

Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶Gogithub.com/mattermost_mattermost-server_v5< 5.39.0

▶CVEListV5mattermost/mattermostunspecified — 5.38

▶NVDmattermost/mattermost5.38

🔴Vulnerability Details

OSV

Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server↗2024-08-21

▶

OSV

Cross-site Scripting in Mattermost↗2021-09-23

▶

GHSA

Cross-site Scripting in Mattermost↗2021-09-23

▶

CVEList

CVE-2021-37860: Mattermost 5↗2021-09-22

▶