CVE-2023-2783 — Missing Authorization in Mattermost Mattermost-server V6

CWE-862 — Missing Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 60.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server V6 Mattermost APP Framework Mattermost

Timeline

PublishedJun 16

Description

Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5mattermost/mattermost_app_framework7.8.4+2

▶Gogithub.com/mattermost_mattermost-server_v67.10.0 — 7.10.1+3

▶NVDmattermost/mattermost7.8.0 — 7.8.4+2

🔴Vulnerability Details

GHSA

Mattermost Server Missing Authorization vulnerability↗2023-06-16

▶

OSV

Mattermost Server Missing Authorization vulnerability↗2023-06-16

▶

CVEList

App Framework does not checks for the secret provided in the incoming webhook request↗2023-06-16

▶