Client side path traversal due to lack of route parameters validation
CVE-2023-6458

7.1HIGH

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 6 December 2023

Summary

The Mattermost web application exhibits a serious vulnerability due to improper validation of route parameters within the URL structure. Specifically, the exploit can occur in paths associated with team and channel navigation, such as /<TEAM_NAME>/channels/<CHANNEL_NAME>. This failure allows an attacker to manipulate the route parameters, potentially leading to unauthorized access to sensitive information stored on the server, thereby compromising the application’s security.

Affected Version(s)

Mattermost 0 <= 9.1.1

Mattermost 0 <= 9.0.2

Mattermost 0 <= 8.1.4

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 6, 2023
Vulnerability Reserved
Dec 1, 2023

Credit

DoyenSec