Exposure of Resource to Wrong Sphere
CVE-2023-1562
Summary
Mattermost fails to check the "Show Full Name" setting when rendering the result for the "/plugins/focalboard/api/v2/users" API call, allowing an attacker to learn the full name of a board owner. This issue affects github.com/mattermost/focalboard/mattermost-plugin and github.com/mattermost/focalboard/server versions prior to 7.4.4.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- LOW
- LOW
- NONE
CWE-668 - Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
References
Advisory Timeline
- Published