Main Vulnerability Database SB2020061970

SB2020061970 - Multiple vulnerabilities in Mattermost, Mattermost Server

Published: June 19, 2020 Updated: August 8, 2020

Security Bulletin ID SB2020061970

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Incorrect permission assignment for critical resource (CVE-ID: CVE-2017-18870)

The vulnerability allows a remote authenticated user to manipulate data.

An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case.

2) Input validation error (CVE-ID: CVE-2017-18871)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.

Remediation

Install update from vendor's website.

References

https://mattermost.com/security-updates/