CVE-2021-37860

Name of the Vulnerable Software and Affected Versions: Mattermost versions 5.38 and earlier

Description: The issue is related to insufficient sanitization of clipboard contents, allowing a user-assisted attacker to inject arbitrary web script in product deployments where the default Content Security Policy (CSP) is explicitly disabled. This enables the attacker to perform cross-site scripting attacks.

Recommendations: For Mattermost versions 5.38 and earlier, update to a version that includes the fix for this issue to prevent arbitrary web script injection. As a temporary workaround, consider enabling the default CSP to minimize the risk of exploitation. Restrict access to clipboard contents in deployments where the default CSP is disabled to reduce the attack surface.