Mattermost vulnerability allows for one-click client-side path traversal and CSRF
CVE-2024-40886

8.8HIGH

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 22 August 2024

Summary

The vulnerability in Mattermost is attributed to inadequate sanitization of user inputs in the frontend, specifically used for redirection processes. This oversight potentially exposes the User Management page in the system console to a one-click client-side path traversal, facilitating a Cross-Site Request Forgery (CSRF) attack. Organizations using vulnerable versions should prioritize updates and apply security patches to safeguard their systems against exploitation.

Affected Version(s)

Mattermost 9.9.0 <= 9.9.1

Mattermost 9.5.0 <= 9.5.7

Mattermost 9.10.0

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 22, 2024
Vulnerability Reserved
Aug 20, 2024

Credit

DoyenSec