cbcvebase.
CVE-2023-5968
published 2023-11-06

CVE-2023-5968: Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.

PriorityP423medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
0.51%
39.7th percentile
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.

Affected

12 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 0 < 5.3.2-0.20230825233148-f787fd63368a5.3.2-0.20230825233148-f787fd63368a
github.commattermost_mattermost-server_v5>= 0 < 5.3.2-0.20230825233148-f787fd63368a5.3.2-0.20230825233148-f787fd63368a
github.commattermost_mattermost-server_v6>= 0 < 5.3.2-0.20230825233148-f787fd63368a5.3.2-0.20230825233148-f787fd63368a
github.commattermost_mattermost-server_v6>= 5.4.0-rc1 < 7.8.127.8.12
github.commattermost_mattermost_server_v8>= 0 < 8.0.0-20230825233148-f787fd63368a8.0.0-20230825233148-f787fd63368a
github.commattermost_mattermost_server_v8>= 8.0.0 < 8.0.48.0.4
github.commattermost_mattermost_server_v8>= 8.1.0 < 8.1.38.1.3
github.commattermost_mattermost_server_v8>= 9.0.0 < 9.0.19.0.1
mattermostmattermost<= 7.8.11
mattermostmattermost
mattermostmattermost8.0.0 – 8.0.3
mattermostmattermost8.1.0 – 8.1.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.