Missing Authorization in Mattermost Server - CVE-2018-21251
Published: June 19, 2020 / Updated: July 17, 2020
Vulnerability identifier: #VU30226
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-21251
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mattermost, Inc.
Affected software:
Mattermost Server
Mattermost Server
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body.
How to mitigate CVE-2018-21251
Install update from vendor's website.