CVE-2023-2193 MEDIUM

CVE-2023-2193: Oauth authorization codes do not expire when deauthorizing an oauth2 app

Vendor Mattermost

Product Mattermost

Weakness CWE-862 · Missing authorization

Published April 20, 2023

Last update December 6, 2024

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.

Key dates

02Disclosure timeline

April 20, 2023 CVE published

December 6, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-2193 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2026-1925 EmailKit – Email Customizer for WooCommerce & WP <= 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Title Modification CVE-2026-24996 WordPress WPElemento Importer plugin <= 0.6.4 - Broken Access Control vulnerability CVE-2025-49041 WordPress Get Cash plugin <= 3.2.3 - Broken Access Control vulnerability CVE-2025-49394 WordPress Image Gallery block – Create and display photo gallery/photo album. plugin <= 1.0.7 - Broken Authentication vulnerability CVE-2023-25454 WordPress Protected Posts Logout Button plugin <= 1.4.5 - Broken Access Control vulnerability

Identifiers

CVE CVE-2023-2193

CWE CWE-862

CVSS 6.5 / MEDIUM

Affected versions

Vendor Mattermost

Product Mattermost

Affected ≤ 7.1.7

Vendor Mattermost

Product Mattermost

Affected ≤ 7.7.3

Vendor Mattermost

Product Mattermost

Affected ≤ 7.8.2

Vendor Mattermost

Product Mattermost

Affected ≤ 7.9.1