Multiple vulnerabilities in Mattermost, Mattermost Server

1) Input validation error

EUVDB-ID: #VU34240

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-20862

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mattermost Server:

CPE2.3

• cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*

External links

https://mattermost.com/security-updates/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU34241

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-20863

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mattermost Server:

CPE2.3

• cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*

External links

https://mattermost.com/security-updates/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.