CVE-2023-1421Cross-site Scripting in Mattermost

CWE-79Cross-site ScriptingCWE-665Improper Initialization4 documents4 sources
Severity
6.1MEDIUMNVD
CNA3.5
EPSS
1.7%
top 17.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MattermostMattermost Server
Timeline
PublishedMar 15
Latest updateMar 16

Description

A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5mattermost/mattermost5.32.07.7
NVDmattermost/mattermost_server5.32.07.7.0

🔴Vulnerability Details

2
GHSA
GHSA-mq63-cgjw-m94m: A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf2023-03-16
CVEList
Reflected XSS in OAuth flow completion endpoints2023-03-15
CVE-2023-1421 — Cross-site Scripting in Mattermost | cvebase