Home
MEDIUM: 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NDefault status
unaffected
10.7.0 (semver)
affected
10.6.0 (semver)
affected
10.5.0 (semver)
affected
9.11.0 (semver)
affected
10.8.0
unaffected
10.7.1
unaffected
10.6.3
unaffected
10.5.4
unaffected
9.11.13
unaffected
Description
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.
Problem types
CWE-303: Incorrect Implementation of Authentication Algorithm
Product status
10.7.0 (semver)
10.6.0 (semver)
10.5.0 (semver)
9.11.0 (semver)
10.8.0
10.7.1
10.6.3
10.5.4
9.11.13
Credits
eAhmed
References
mattermost.com/security-updates