11/8/2023
11/8/2023
1/10/2024
CVE-2023-4106: A guest user can perform various actions on public playbooks
First published: Fri Aug 11 2023(Updated: )
Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks.
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
Affected Software | Affected Version | How to fix |
---|
Mattermost Mattermost | >=7.8.0<7.8.8 | |
Mattermost Mattermost | >=7.9.0<7.9.6 | |
Mattermost Mattermost | >=7.10.0<7.10.4 | |
go/github.com/mattermost/mattermost-server/v6 | <=7.8.7 | 7.8.8 |
go/github.com/mattermost/mattermost-server/v6 | >=7.10.0<=7.10.3 | 7.10.4 |
go/github.com/mattermost/mattermost-server/v6 | >=7.9.0<=7.9.5 | 7.9.6 |
Remedy
Update Mattermost Server to versions 7.8.8, 7.9.5, 7.10.4 or higher. Otherwise, update the Playbooks plugin to version v1.37.0 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2023-4106?
CVE-2023-4106 is a vulnerability in Mattermost that allows a guest user to perform unauthorized actions on public playbooks.
How severe is CVE-2023-4106?
CVE-2023-4106 is rated as medium severity with a CVSS score of 6.3.
Which software versions are affected by CVE-2023-4106?
Affected versions of Mattermost include 7.8.0 to 7.8.8, 7.9.0 to 7.9.6, and 7.10.0 to 7.10.4.
How can a guest user exploit CVE-2023-4106?
A guest user can exploit CVE-2023-4106 to view, join, edit, export, and archive public playbooks in Mattermost.
How can CVE-2023-4106 be fixed?
To fix CVE-2023-4106, upgrade Mattermost to version 7.8.9, 7.9.7, or 7.10.5.
- collector/nvd-api
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-p267-jjfq-pphf
- alias/CVE-2023-4106
- collector/nvd-cve
- collector/github-advisory
- agent/type
- agent/softwarecombine
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/last-modified-date
- agent/title
- agent/remedy
- agent/tags
- agent/first-publish-date
- agent/event
- agent/description
- vendor/mattermost
- canonical/mattermost mattermost
- version/mattermost mattermost/7.8.0
- version/mattermost mattermost/7.9.0
- version/mattermost mattermost/7.10.0
- package-manager/go
Contact
SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.coBy using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203