SB2020061933 - Multiple vulnerabilities in Mattermost, Mattermost Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020061933

SB2020061933 - Multiple vulnerabilities in Mattermost, Mattermost Server

Published: June 19, 2020 Updated: July 17, 2020

Security Bulletin ID SB2020061933
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2017-18900)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.


2) Information disclosure (CVE-ID: CVE-2017-18901)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.


3) Information disclosure (CVE-ID: CVE-2017-18902)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.


Remediation

Install update from vendor's website.

References