CVE-2021-37866 MEDIUM

CVE-2021-37866: Session is not invalidated on server-side when user logged out of Boards

Vendor Mattermost
Product Mattermost Boards
Weakness CWE-613 · Insufficient session expiration
Published January 18, 2022
Last update December 6, 2024

CVSS base score

4.7/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.

Key dates

02Disclosure timeline

January 18, 2022 CVE published
December 6, 2024 Record updated