Exposure of Resource to Wrong Sphere

CVE-2023-1562

Medium

4.3/10

Summary

Mattermost fails to check the "Show Full Name" setting when rendering the result for the "/plugins/focalboard/api/v2/users" API call, allowing an attacker to learn the full name of a board owner. This issue affects github.com/mattermost/focalboard/mattermost-plugin and github.com/mattermost/focalboard/server versions prior to 7.4.4.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-668 - Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References

Advisory
MMSA-2023-00136
Pull request
Release Note

Advisory Timeline

Published Mar 22, 2023

Exposure of Resource to Wrong Sphere

CVE-2023-1562

Summary

CWE-668 - Exposure of Resource to Wrong Sphere

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS