CVE-2024-2445
EUVD-2024-2739515.03.2024, 10:15
Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| mattermost | mattermost_server | 8.1.0 ≤ 𝑥 < 8.1.10 |
| mattermost | mattermost_server | 9.2.0 ≤ 𝑥 < 9.2.6 |
| mattermost | mattermost_server | 9.3.0 ≤ 𝑥 < 9.3.2 |
| mattermost | mattermost_server | 9.4.0 ≤ 𝑥 < 9.4.3 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| mattermost | mattermost | 9.4.0 ≤ 𝑥 ≤ 9.4.2 | CNA |
| mattermost | mattermost | 9.3.0 ≤ 𝑥 ≤ 9.3.1 | CNA |
| mattermost | mattermost | 9.2.0 ≤ 𝑥 ≤ 9.2.5 | CNA |
| mattermost | mattermost | 8.1.0 ≤ 𝑥 ≤ 8.1.9 | CNA |
Common Weakness Enumeration
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.