Missing Authorization in Mattermost Server - CVE-2018-21251

 

Missing Authorization in Mattermost Server - CVE-2018-21251

Published: June 19, 2020 / Updated: July 17, 2020


Vulnerability identifier: #VU30226
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-21251
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Mattermost, Inc.
Affected software:
Mattermost Server

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body.


How to mitigate CVE-2018-21251

Install update from vendor's website.

Sources