CVE-2023-2784 MEDIUM

CVE-2023-2784: Apps Framework allows install requests from regular members via an internal path

Vendor Mattermost
Product Mattermost App Framework
Weakness CWE-862 · Missing authorization
Published June 16, 2023
Last update December 6, 2024

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L

What the vulnerability does

01Description

Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps.

Key dates

02Disclosure timeline

June 16, 2023 CVE published
December 6, 2024 Record updated