PT-2024-20399 · Mattermost · Mattermost

Juho Nurminen

Published

2024-03-15

Updated

2024-12-16

CVE-2024-2445

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10 Mattermost Jira plugin versions shipped with Mattermost versions 9.2.x before 9.2.6 Mattermost Jira plugin versions shipped with Mattermost versions 9.3.x before 9.3.2 Mattermost Jira plugin versions shipped with Mattermost versions 9.4.x before 9.4.3

Description The Mattermost Jira plugin fails to escape user-controlled outputs when generating HTML pages, allowing an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.

Recommendations For Mattermost versions 8.1.x before 8.1.10, update to version 8.1.10 or later. For Mattermost versions 9.2.x before 9.2.6, update to version 9.2.6 or later. For Mattermost versions 9.3.x before 9.3.2, update to version 9.3.2 or later. For Mattermost versions 9.4.x before 9.4.3, update to version 9.4.3 or later.

Fix

Special Elements Injection

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-79

Related Identifiers

BIT-MATTERMOST-2024-2445

CVE-2024-2445

Affected Products

Mattermost

PT-2024-20399 · Mattermost · Mattermost

CVE-2024-2445

Weakness Enumeration

Related Identifiers

Affected Products

References · 8