CVE-2024-23319Cross-Site Request Forgery in Mattermost Mattermost-plugin-jira

CWE-352Cross-Site Request Forgery5 documents4 sources
Severity
3.5LOWNVD
EPSS
0.1%
top 71.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Mattermost Mattermost-plugin-jiraMattermostMattermost Server
Timeline
PublishedFeb 9
Latest updateMar 18

Description

Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:LExploitability: 2.1 | Impact: 1.4

Affected Packages3 packages

Gogithub.com/mattermost_mattermost-plugin-jira< 1.1.2-0.20230830170046-f4cf4c6de017
CVEListV5mattermost/mattermost8.1.7

🔴Vulnerability Details

4
OSV
Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira2024-03-18
GHSA
Mattermost Jira Plugin vulnerable to Cross-Site Request Forgery2024-02-09
OSV
Mattermost Jira Plugin vulnerable to Cross-Site Request Forgery2024-02-09
CVEList
CSRF issue allows disconnecting a user's Jira connection through a simple post message (Jira Plugin)2024-02-09
CVE-2024-23319 — Cross-Site Request Forgery | cvebase