CVE-2023-6202

Summary

Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 7.8.12affected
MattermostMattermost0 <= 8.1.3affected
MattermostMattermost0 <= 9.0.1affected
MattermostMattermost0 <= 9.1.0affected
MattermostMattermost9.0.2unaffected
MattermostMattermost9.1.1unaffected
MattermostMattermost7.8.13unaffected
MattermostMattermost8.1.4unaffected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References