CVE-2024-1402 MEDIUM

CVE-2024-1402: Denial of service in mattermost mobile apps and server via emoji reactions

Vendor Mattermost
Product Mattermost
Weakness CWE-400
Published February 9, 2024
Last update August 1, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post. 

Key dates

02Disclosure timeline

February 9, 2024 CVE published
August 1, 2024 Record updated