PT-2024-32265 · Mattermost+1 · Mattermost+1

Doyensec

Published

2024-10-29

Updated

2024-11-09

CVE-2024-46872

CVSS v4.0

5.1

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.10.x through 9.10.2 Mattermost versions 9.11.x through 9.11.1 Mattermost versions 9.5.x through 9.5.9

Description The issue is related to a failure in sanitizing user inputs in the frontend, which are used for redirection. This leads to a one-click client-side path traversal, resulting in Cross-Site Request Forgery (CSRF) in Playbooks.

Recommendations For versions 9.10.x through 9.10.2, update to a version later than 9.10.2 to resolve the issue. For versions 9.11.x through 9.11.1, update to a version later than 9.11.1 to resolve the issue. For versions 9.5.x through 9.5.9, update to a version later than 9.5.9 to resolve the issue.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

BIT-MATTERMOST-2024-46872

CVE-2024-46872

GHSA-762G-9P7F-MRWW

GO-2024-3233

OPENSUSE-SU-2024:0350-1

OPENSUSE-SU-2024:14458-1

OPENSUSE-SU-2024_3950-1

SUSE-SU-2024:3950-1

Affected Products

Mattermost

Suse

PT-2024-32265 · Mattermost+1 · Mattermost+1

CVE-2024-46872

Weakness Enumeration

Related Identifiers

Affected Products

References · 72