PT-2020-7994 · Mattermost · Mattermost Server

Published

2020-06-19

Updated

2020-06-26

CVE-2016-11065

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Mattermost Server versions prior to 3.3.0

Description: An issue was discovered that allows an attacker to use the WebSocket feature to send pop-up messages to users or change a post's appearance.

Recommendations: For versions prior to 3.3.0, update to version 3.3.0 or later to resolve the issue. As a temporary workaround, consider disabling the WebSocket feature until a patch is available. Restrict access to the WebSocket endpoint to minimize the risk of exploitation. Avoid using the WebSocket feature in the affected API endpoint until the issue is resolved.

Fix

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732

Related Identifiers

CVE-2016-11065

Affected Products

Mattermost Server

PT-2020-7994 · Mattermost · Mattermost Server

CVE-2016-11065

Weakness Enumeration

Related Identifiers

Affected Products

References · 4