Mattermost Cross-Site Request Forgery vulnerability

GHSA-hrf9-rm95-fpf3 · CVE-2024-40886 · GO-2024-3097

Published Aug 22, 2024 · Modified Aug 30, 2024

Description

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system console.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-40886
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes