CVE-2023-47865

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-47865

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-47865.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-47865

Aliases

GHSA-jj46-9cgh-qmfx

Related

CGA-2pfh-rpmm-7w7m

Published

2023-11-27T09:05:19.917Z

Modified

2026-05-28T04:09:43.520933774Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Username and Icon override can be used by members when Hardened Mode is enabled

Details

Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a post even if the Hardened Mode setting was enabled

Database specific

{
    "cwe_ids": [
        "CWE-284"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "last_affected": "8.1.3"
                },
                {
                    "last_affected": "7.8.12"
                }
            ]
        }
    ],
    "cna_assigner": "Mattermost",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/47xxx/CVE-2023-47865.json"
}

References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type

GIT

Repo

https://github.com/mattermost/mattermost

Events

Introduced

Last affected

b69ff7d1038609a4a29a7db104679d21da10ad09

Introduced

90f502dc2dc80ee25cfb7d7bc3e743b53564a5a7

Last affected

4fe1024a51f22f239c19c33838dbdcf7589b7b94

Database specific

{
    "cpe": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.8.12"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "last_affected": "8.1.3"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

@mattermost/client@8.*

@mattermost/client@8.1.1

@mattermost/types@8.*

@mattermost/types@8.1.1

Other

cloud-2022-07-20-1

cloud-2022-08-10-1

cloud-2022-09-08-1

cloud-2022-10-06-1

cloud-2022-11-11-1

cloud-2022-11-24-1

cloud-2023-01-26-1

cloud-2023-07-26-1

server/public/v0.*

server/public/v0.0.5

v0.*

v0.5.0

v4.*

v4.10.0-rc1

v4.2.0-rc1

v4.3.0-rc1

v4.4.0-rc1

v4.5.0-rc1

v4.6.0-rc1

v4.6.0-rc2

v4.7.0-rc1

v4.8.0-rc1

v4.9.0-rc1

v5.*

v5.0.0-rc1

v5.1.0-rc1

v5.2.0-rc1

v5.2.0-rc2

v7.*

v7.8.0

v7.8.1

v7.8.10

v7.8.10-rc3

v7.8.10-rc4

v7.8.10-rc5

v7.8.11

v7.8.11-rc1

v7.8.12

v7.8.12-rc1

v7.8.12-rc2

v7.8.2

v7.8.3

v7.8.4

v7.8.5

v7.8.6

v7.8.7

v7.8.8

v7.8.9

v8.*

v8.1.0

v8.1.0-rc2

v8.1.1

v8.1.1-rc1

v8.1.1-rc2

v8.1.2

v8.1.2-rc1

v8.1.2-rc2

v8.1.3

v8.1.3-rc1

v8.1.3-rc2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-47865.json"