CVE-2023-35075 — Injection in Mattermost Mattermost-server V6

CWE-74 — Injection4 documents4 sources

Severity

5.4MEDIUMNVD

CNA3.1

EPSS

0.5%

top 33.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server V6 Github.com Mattermost Mattermost Server V8 Mattermost

Timeline

PublishedNov 27

Description

Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶Gogithub.com/mattermost_mattermost-server_v6< 7.8.13

▶Gogithub.com/mattermost_mattermost_server_v8< 8.1.4

▶CVEListV5mattermost/mattermost8.1.3+1

▶NVDmattermost/mattermost8.0.0 — 8.1.3+1

🔴Vulnerability Details

GHSA

Mattermost Injection vulnerability↗2023-11-27

▶

OSV

Mattermost Injection vulnerability↗2023-11-27

▶

CVEList

HTML injection via channel autocomplete↗2023-11-27

▶