Description
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.
References (1)
Scores
CVSS v3
4.9
EPSS
0.0014
EPSS Percentile
33.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-116
Status
published
Products (5)
mattermost/mattermost
9.0.0
mattermost/mattermost
< 7.8.11
mattermost/mattermost
8.0.0 - 8.0.4Go
mattermost/mattermost-server
0 - 5.3.2-0.20230825233148-f787fd63368a (2 CPE variants)Go
mattermost/mattermost-server
5.4.0-rc1 - 7.8.12Go
Published
Nov 06, 2023
Tracked Since
Feb 18, 2026