PT-2020-8454 · Mattermost · Mattermost Server
Published
2020-06-19
·
Updated
2026-03-03
·
CVE-2017-18908
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Mattermost Server versions prior to 4.0.0
Mattermost Server version 3.10.2
Mattermost Server version 3.9.2
Description:
An issue was discovered where a password-reset request could be sent to an attacker-provided e-mail address.
Recommendations:
For Mattermost Server versions prior to 4.0.0, update to version 4.0.0 or later.
For Mattermost Server version 3.10.2, update to version 3.10.3 or later, or apply the necessary patch.
For Mattermost Server version 3.9.2, update to version 3.9.3 or later, or apply the necessary patch.
As a temporary workaround, consider restricting access to the password reset functionality until a patch is available.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mattermost Server