CVE-2023-27265: Disclosure of team owner email address when regenerating Invite ID
First published: Mon Feb 27 2023(Updated: )
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
Credit: responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost Mattermost Server | >=5.12.0<7.7.0 |
Remedy
Update Mattermost to version 7.7.0 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Mattermost vulnerability?
The vulnerability ID for this Mattermost vulnerability is CVE-2023-27265.
What is the title of this Mattermost vulnerability?
The title of this Mattermost vulnerability is 'Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the 'Regenerate Invite Id' API endpoint'.
What is the impact of this vulnerability?
This vulnerability allows an attacker with team admin privileges to learn the team owner's email address in the response.
What is the affected software version range for this vulnerability?
The affected software version range for this vulnerability is between 5.12.0 and 7.7.0.
How can I fix this vulnerability in Mattermost?
To fix this vulnerability, you should upgrade to a version of Mattermost Server that is at least 7.7.0.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/references
- agent/title
- agent/remedy
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/mattermost
- canonical/mattermost mattermost server
- version/mattermost mattermost server/5.12.0