CVE-2023-47168: Open redirect in /oauth/<service>/mobile_login?redirect_to=
First published: Mon Nov 27 2023(Updated: )
Mattermost fails to properly check a redirect URL parameter allowing for an open redirect was possible when the user clicked "Back to Mattermost" after providing a invalid custom url scheme in /oauth/{service}/mobile_login?redirect_to=
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/mattermost/mattermost-server/v6 | <7.8.13 | 7.8.13 |
| go/github.com/mattermost/mattermost/server/v8 | <8.1.4 | 8.1.4 |
| go/github.com/mattermost/mattermost/server/v8 | >=9.0.0<9.0.2 | 9.0.2 |
| go/github.com/mattermost/mattermost/server/v8 | >=9.1.0<9.1.1 | 9.1.1 |
| Mattermost Mattermost | <=7.8.12 | |
| Mattermost Mattermost | >=8.0.0<=8.1.3 | |
| Mattermost Mattermost | >=9.0.0<=9.0.1 | |
| Mattermost Mattermost | =9.1.0 |
Remedy
Update Mattermost Server to versions 9.0.2, 9.1.1, 7.8.13, 8.1.4 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-47168?
CVE-2023-47168 is an open redirect vulnerability in Mattermost that allows for unauthorized redirection of users to malicious websites.
How does the open redirect vulnerability in Mattermost work?
The open redirect vulnerability in Mattermost occurs when the user clicks on "Back to Mattermost" after providing an invalid custom URL scheme, allowing for the redirection to an attacker-controlled website.
What is the severity of CVE-2023-47168?
The severity of CVE-2023-47168 is medium, with a CVSS score of 4.3.
Which versions of Mattermost are affected by CVE-2023-47168?
Versions 7.8.13 up to exclusive, 8.1.4 up to exclusive, 9.0.0 up to inclusive exclusive, and 9.1.0 up to inclusive exclusive of Mattermost are affected by CVE-2023-47168.
How can I fix the open redirect vulnerability in Mattermost?
To fix the open redirect vulnerability, it is recommended to update Mattermost to versions 7.8.13, 8.1.4, 9.0.2, or 9.1.1, depending on the affected version.
- collector/github-advisory-latest
- alias/GHSA-4ghx-8jw8-p76q
- alias/CVE-2023-47168
- collector/nvd-api
- collector/nvd-cve
- collector/github-advisory
- agent/severity
- agent/weakness
- agent/title
- agent/references
- agent/author
- agent/type
- agent/tags
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- package-manager/go
- vendor/mattermost
- canonical/mattermost mattermost
- version/mattermost mattermost/7.8.12
- version/mattermost mattermost/8.0.0
- version/mattermost mattermost/8.1.3
- version/mattermost mattermost/9.0.0
- version/mattermost mattermost/9.0.1
- version/mattermost mattermost/9.1.0