CVE-2023-46701Sensitive Information Exposure in Mattermost

CWE-200Sensitive Information ExposureCWE-639Authorization Bypass Through User-Controlled Key3 documents3 sources
Severity
5.3MEDIUMNVD
CNA6.5
EPSS
0.2%
top 58.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MattermostMattermost Server
Timeline
PublishedDec 12

Description

Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5mattermost/mattermost8.1.5+3
NVDmattermost/mattermost_server8.0.08.1.5+4

🔴Vulnerability Details

2
CVEList
Inaccessible Post Information Leak via Run Timeline IDOR2023-12-12
GHSA
GHSA-pjqg-q843-gm7c: Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowin2023-12-12
CVE-2023-46701 — Sensitive Information Exposure | cvebase