CVE-2018-21251
CRITICALMattermost Server < 5.2 and < 5.1.1 - Missing Authorization via Channel Name Mismatch
Title source: llmDescription
An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://mattermost.com/security-updates/
Scores
CVSS v3
9.8
EPSS
0.0041
EPSS Percentile
61.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-862
Status
published
Products (2)
mattermost/mattermost_server
5.2.0 rc1 (6 CPE variants)
mattermost/mattermost_server
< 5.1.1
Published
Jun 19, 2020
Tracked Since
Feb 18, 2026