CVE-2023-45316 HIGH

CVE-2023-45316: Reflected client side path traversal leading to CSRF in Playbooks

Vendor Mattermost
Product Mattermost
Weakness CWE-352 · CSRF
Published December 12, 2023
Last update May 24, 2025

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack.

Key dates

02Disclosure timeline

December 12, 2023 CVE published
May 24, 2025 Record updated