CVE-2023-48732 — Sensitive Information Exposure in Mattermost Mattermost-server

CWE-200 — Sensitive Information Exposure5 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.6%

top 30.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost-server V6 Github.com Mattermost Mattermost Server V8 +2 more

Timeline

PublishedJan 2

Latest updateJun 28

Description

Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶NVDmattermost/mattermost_server< 8.1.7

▶Gogithub.com/mattermost_mattermost-server< 8.1.7+incompatible

▶Gogithub.com/mattermost_mattermost-server_v6< 8.1.7

▶Gogithub.com/mattermost_mattermost_server_v8< 8.1.7

▶CVEListV5mattermost/mattermost8.1.6

🔴Vulnerability Details

OSV

Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server↗2024-06-28

▶

CVEList

Keywords that trigger mentions are leaked to other users↗2024-01-02

▶

GHSA

Mattermost notified all users in the channel when using WebSockets to respond individually↗2024-01-02

▶

OSV

Mattermost notified all users in the channel when using WebSockets to respond individually↗2024-01-02

▶