CVE-2023-6202 MEDIUM

CVE-2023-6202: Insecure Direct Object Reference in /plugins/focalboard/ api/v2/users of Mattermost Boards

Vendor Mattermost
Product Mattermost
Weakness CWE-284
Published November 27, 2023
Last update October 11, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards.

Key dates

02Disclosure timeline

November 27, 2023 CVE published
October 11, 2024 Record updated