CVE-2023-2783

App Framework does not checks for the secret provided in the incoming webhook request

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.

*Credits: Rohitesh Gupta

CVSS Scores

NISTv3.1 4.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-05-18 CVE Reserved
2023-06-16 CVE Published
2024-06-22 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-862: Missing Authorization

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://mattermost.com/security-updates	2023-06-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mattermost Search vendor "Mattermost"		Mattermost Search vendor "Mattermost" for product "Mattermost"				>= 7.8.0 <= 7.8.4 Search vendor "Mattermost" for product "Mattermost" and version " >= 7.8.0 <= 7.8.4"		-		Affected
Mattermost Search vendor "Mattermost"		Mattermost Search vendor "Mattermost" for product "Mattermost"				>= 7.9.0 <= 7.9.3 Search vendor "Mattermost" for product "Mattermost" and version " >= 7.9.0 <= 7.9.3"		-		Affected
Mattermost Search vendor "Mattermost"		Mattermost Search vendor "Mattermost" for product "Mattermost"				7.10.0 Search vendor "Mattermost" for product "Mattermost" and version "7.10.0"		-		Affected