CVE-2023-6458

HIGH7.1EPSS 0.46%

Mattermost Injection vulnerability

Published: 12/6/2023Modified: 2/4/2026

Also known as:GHSA-7664-hcp7-f497BIT-mattermost-2023-6458CGA-g59p-x232-xvr9

Description

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal.

Affected packages (4)

Bitnami/mattermostfrom 0, < 7.8.14, >= 8.0.0, < 8.1.5, >= 9.0.0, < 9.0.3, >= 9.1.0, < 9.1.2
Go/github.com/mattermost/mattermost/server>= 9.1.0, < 9.1.2
Go/github.com/mattermost/mattermost-server/v6from 0, < 7.8.14
Go/github.com/mattermost/mattermost/server/v8from 0, < 8.1.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-6458
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://mattermost.com/security-updates