CVE-2023-5968Sensitive Information Exposure in Mattermost Mattermost-server

CWE-200Sensitive Information ExposureCWE-116Improper Encoding or Escaping of Output4 documents4 sources
Severity
4.9MEDIUMNVD
EPSS
0.1%
top 65.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost-server V5Github.com Mattermost Mattermost-server V6+2 more
Timeline
PublishedNov 6

Description

Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages6 packages

Gogithub.com/mattermost_mattermost-server< 5.3.2-0.20230825233148-f787fd63368a
Gogithub.com/mattermost_mattermost-server_v5< 5.3.2-0.20230825233148-f787fd63368a
CVEListV5mattermost/mattermost7.8.11+3

🔴Vulnerability Details

3
CVEList
Password hash in response body after username update2023-11-06
GHSA
Mattermost password hash disclosure vulnerability2023-11-06
OSV
Mattermost password hash disclosure vulnerability2023-11-06
CVE-2023-5968 — Sensitive Information Exposure | cvebase