CVE-2022-1002: HTML Injection while inviting Guests
First published: Fri Mar 18 2022(Updated: )
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations.
Credit: responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost Mattermost | <6.4.0 |
Remedy
Update Mattermost to version v6.4 or higher
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2022-1002?
CVE-2022-1002 is a vulnerability in Mattermost 6.3.0 and earlier that allows registered users to inject unescaped HTML content in email invitations to guest users.
How does CVE-2022-1002 impact Mattermost?
CVE-2022-1002 allows registered users with special permissions to invite guest users and inject unescaped HTML content in the email invitations.
What is the severity of CVE-2022-1002?
CVE-2022-1002 has a severity value of 5.4, which is considered medium.
How can I fix CVE-2022-1002 in Mattermost?
To fix CVE-2022-1002, update to Mattermost version 6.4.0 or later, which properly sanitizes HTML content in email invitations sent to guest users.
Are there any references for CVE-2022-1002?
Yes, you can find more information about CVE-2022-1002 in the following references: [HackerOne report](https://hackerone.com/reports/1443567) and [Mattermost security updates](https://mattermost.com/security-updates/).
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/remedy
- agent/author
- agent/weakness
- agent/tags
- agent/title
- agent/description
- agent/first-publish-date
- agent/event
- vendor/mattermost
- canonical/mattermost mattermost