CVE-2023-6458
EUVD-2023-313906.12.2023, 09:15
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| mattermost | mattermost_server | 𝑥 < 7.8.14 |
| mattermost | mattermost_server | 8.0.0 ≤ 𝑥 < 8.1.5 |
| mattermost | mattermost_server | 9.0.0 ≤ 𝑥 < 9.0.3 |
| mattermost | mattermost_server | 9.1.0 ≤ 𝑥 < 9.1.2 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.