CVE-2023-35075: HTML injection via channel autocomplete
First published: Mon Nov 27 2023(Updated: )
Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though.
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/mattermost/mattermost-server/v6 | <7.8.13 | 7.8.13 |
| go/github.com/mattermost/mattermost/server/v8 | <8.1.4 | 8.1.4 |
| Mattermost Mattermost | <=7.8.12 | |
| Mattermost Mattermost | >=8.0.0<=8.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this mattermost vulnerability?
The vulnerability ID of this mattermost vulnerability is CVE-2023-35075.
What is the severity level of CVE-2023-35075?
The severity level of CVE-2023-35075 is low with a severity value of 3.1.
What is the affected software for CVE-2023-35075?
The affected software for CVE-2023-35075 is Mattermost, specifically versions up to and including 7.8.13 and versions up to and including 8.1.4.
How can an attacker exploit CVE-2023-35075?
An attacker can exploit CVE-2023-35075 by creating a channel name that is valid HTML, allowing them to inject HTML into a victim's page during autocomplete.
Is XSS possible as a result of CVE-2023-35075?
No, XSS is not possible as a result of CVE-2023-35075.
- collector/mitre-cve
- collector/github-advisory-latest
- alias/GHSA-jcgv-3pfq-j4hr
- alias/CVE-2023-35075
- collector/nvd-api
- collector/nvd-cve
- collector/github-advisory
- package-manager/go
- vendor/mattermost
- canonical/mattermost mattermost
- version/mattermost mattermost/7.8.12
- version/mattermost mattermost/8.0.0
- version/mattermost mattermost/8.1.3