CVE-2023-45316

Name of the Vulnerable Software and Affected Versions Mattermost versions prior to the fixed version

Description The issue is related to a lack of validation for relative paths in the /plugins/playbooks/api/v0/telemetry/run/<telem run id> endpoint, allowing an attacker to use a path traversal payload to point to a different endpoint, leading to a CSRF attack. This can be exploited by a remote attacker to perform a CSRF attack.

Recommendations As a temporary workaround, consider disabling the /plugins/playbooks/api/v0/telemetry/run/<telem run id> endpoint until a patch is available. Restrict access to the telem run id parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.