CVE-2023-48732

MEDIUM

Mattermost < 8.1.7 - Unauthorized Exposure of Notification Information via WebSocket Broadcast

Title source: llm

Description

Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.

References (1)

Core 1

Core References

Vendor Advisory

https://mattermost.com/security-updates

Scores

CVSS v3 4.3

EPSS 0.0059

EPSS Percentile 69.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (3)

mattermost/mattermost 0 - 8.1.7Go

mattermost/mattermost-server 0 - 8.1.7Go

mattermost/mattermost_server < 8.1.7

Published Jan 02, 2024

Tracked Since Feb 18, 2026