CVE-2024-2445

Summary

Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.4.0 <= 9.4.2affected
MattermostMattermost9.3.0 <= 9.3.1affected
MattermostMattermost9.2.0 <= 9.2.5affected
MattermostMattermost8.1.0 <= 8.1.9affected
MattermostMattermost9.5.0unaffected
MattermostMattermost9.4.3unaffected
MattermostMattermost9.3.2unaffected
MattermostMattermost9.2.6unaffected
MattermostMattermost8.1.10unaffected

Weaknesses

  • CWE-74: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References