CVE-2022-1002

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations.
References
Link Resource
https://hackerone.com/reports/1443567 Exploit Third Party Advisory
https://mattermost.com/security-updates/ Release Notes Vendor Advisory
https://hackerone.com/reports/1443567 Exploit Third Party Advisory
https://mattermost.com/security-updates/ Release Notes Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:39

Type Values Removed Values Added
CVSS v2 : 3.5
v3 : 5.4
v2 : 3.5
v3 : 2.0
References () https://hackerone.com/reports/1443567 - Exploit, Third Party Advisory () https://hackerone.com/reports/1443567 - Exploit, Third Party Advisory
References () https://mattermost.com/security-updates/ - Release Notes, Vendor Advisory () https://mattermost.com/security-updates/ - Release Notes, Vendor Advisory

Information

Published : 2022-03-18 18:15

Updated : 2024-11-21 06:39


NVD link : CVE-2022-1002

Mitre link : CVE-2022-1002

CVE.ORG link : CVE-2022-1002


JSON object : View

Products Affected

mattermost

  • mattermost
CWE
CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')