CVE-2023-3613 — Incorrect Authorization in Server

CWE-863 — Incorrect Authorization CWE-125 — Out-of-bounds Read4 documents4 sources

Severity

3.5LOWNVD

EPSS

0.1%

top 64.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mattermost Server Mattermost Plugins

Timeline

PublishedJul 17

Description

Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5mattermost/mattermost_plugins7.8.5+1

▶NVDmattermost/mattermost_server7.9.0 — 7.10.3+1

🔴Vulnerability Details

CVEList

Guest accounts invited and added to channels by Welcomebot plugin↗2023-07-17

▶

GHSA

GHSA-v326-937j-3p86: Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added↗2023-07-17

▶