Reflected client side path traversal leading to CSRF in Playbooks
CVE-2023-45316

7.3HIGH

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 12 December 2023

Summary

The Mattermost platform contains a vulnerability in its telemetry API where it improperly validates the input for telemetry run IDs. This flaw allows an attacker to conduct path traversal, enabling them to manipulate the API endpoint and potentially initiate a cross-site request forgery (CSRF) attack. Users are advised to update to the latest version to mitigate the risks associated with this issue.

Affected Version(s)

Mattermost 0 <= 9.1.2

Mattermost 0 <= 9.0.3

Mattermost 0 <= 8.1.5

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 12, 2023
Vulnerability Reserved
Dec 5, 2023

Credit

DoyenSec