CVE-2023-27266 — Sensitive Information Exposure in Mattermost

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

2.7LOWNVD

EPSS

0.2%

top 52.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mattermost Mattermost Server

Timeline

PublishedFeb 27

Description

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5mattermost/mattermost5.12.0 — 7.7.0

▶NVDmattermost/mattermost_server5.12.0 — 7.7.0

🔴Vulnerability Details

CVEList

Disclosure of team owner email address when when accessing the teams API↗2023-02-27

▶

GHSA

GHSA-cxwh-9cmm-77cp: Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker w↗2023-02-27

▶