Base Score

MEDIUM5.4

CVE-2023-35075

Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though.

VectorNETWORK

Published Byresponsibledisclosure@mattermost.com

Published DateNov 27, 2023, 10:15

Affected Versions(2)

github.com/mattermost/mattermost/server/v8(Go)

Introduced0

Fixed8.1.4

LimitN/A

github.com/mattermost/mattermost-server/v6(Go)

Introduced0

Fixed7.8.13

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/mattermost/mattermost/server/v8(Go)	0	8.1.4	N/A
github.com/mattermost/mattermost-server/v6(Go)	0	7.8.13	N/A

Weakness Type (CWE):CWE-74

CVSS Metrics

Base Score

5.4

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE

References

https://mattermost.com/security-updates

Base Score

MEDIUM5.4

Weakness Type (CWE):CWE-74

CVSS Metrics

Base Score

5.4

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE