Home
MEDIUM: 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LDefault status
unaffected
10.11.0 (semver)
affected
10.5.0 (semver)
affected
10.12.0 (semver)
affected
11.0.0
unaffected
10.11.4
unaffected
10.5.12
unaffected
10.12.1
unaffected
Description
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.
Problem types
CWE-306: Missing Authentication for Critical Function
Product status
10.11.0 (semver)
10.5.0 (semver)
10.12.0 (semver)
11.0.0
10.11.4
10.5.12
10.12.1
Credits
Juho Forsén
References
mattermost.com/security-updates
