CVE-2023-35075

Summary

Mattermost fails to use  innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though. 

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 8.1.3affected
MattermostMattermost0 <= 7.8.12affected
MattermostMattermost7.8.13unaffected
MattermostMattermost8.1.4unaffected

Weaknesses

  • CWE-74: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References