PT-2026-6729 · WordPress · Mattermost Confluence Plugin

Daw10

Publicado

2026-02-06

Atualizado

2026-03-03

CVE-2025-13523

CVSS v3.1

7.7

Alta

Vetor

AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Mattermost Confluence plugin versions prior to 1.7.0

Description The Mattermost Confluence plugin does not properly sanitize user-controlled display names when rendering HTML templates. This allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in a victim’s browser. The issue occurs when a specially crafted OAuth2 connection link is sent and visited, rendering the attacker’s display name without proper sanitization. The vulnerable component is the HTML template rendering process. The display name is the vulnerable parameter.

Recommendations Update the Mattermost Confluence plugin to version 1.7.0 or later.

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2025-13523

GHSA-FFX7-34P2-VM3W

GO-2026-4456

SUSE-SU-2026:0757-1

Produtos afetados

Mattermost Confluence Plugin

PT-2026-6729 · WordPress · Mattermost Confluence Plugin

CVE-2025-13523

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 116