CVE-2023-43754 — Sensitive Information Exposure in Mattermost Mattermost-server V6

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 42.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server V6 Github.com Mattermost Mattermost Server V8 Mattermost

Timeline

PublishedNov 27

Description

Mattermost fails to check whether the “Allow users to view archived channels” setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels” setting is disabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶Gogithub.com/mattermost_mattermost-server_v6< 7.8.13

▶Gogithub.com/mattermost_mattermost_server_v89.1.0 — 9.1.1+2

▶CVEListV5mattermost/mattermost7.8.12+3

▶NVDmattermost/mattermost8.0.0 — 8.1.3+3

🔴Vulnerability Details

OSV

Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability↗2023-11-27

▶

CVEList

Permalink previews displayed for posts in archived channels even if users are disallowed to view archived channels↗2023-11-27

▶

GHSA

Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability↗2023-11-27

▶