CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-1775 – Unsanitized events sent over Websocket to regular users in a High Availability environment
https://notcve.org/view.php?id=CVE-2023-1775
31 Mar 2023 — When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-1774 – Unauthorized email invite to a private channel
https://notcve.org/view.php?id=CVE-2023-1774
31 Mar 2023 — When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. • https://mattermost.com/security-updates • CWE-862: Missing Authorization •