CVE-2018-21251

EUVD-2018-13766
An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
Affected Products (NVD)
VendorProductVersion
mattermostmattermost_server
𝑥
< 5.1.1
mattermostmattermost_server
5.2.0:rc1
mattermostmattermost_server
5.2.0:rc2
mattermostmattermost_server
5.2.0:rc3
mattermostmattermost_server
5.2.0:rc4
mattermostmattermost_server
5.2.0:rc5
mattermostmattermost_server
5.2.0:rc6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mattermost.com/security-updates/
https://mattermost.com/security-updates/