CVE-2023-2808

Summary

Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 < 7.1.9affected
MattermostMattermost0 < 7.8.4affected
MattermostMattermost0 < 7.9.3affected
MattermostMattermost7.1.9unaffected
MattermostMattermost7.8.4unaffected
MattermostMattermost7.9.3unaffected
MattermostMattermost7.10unaffected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References