Skip to main content

Exposure of Resource to Wrong Sphere


Severity Medium
Score 6.5/10


When running in a High Availability configuration, Mattermost fails to sanitize some of the "user_updated" and "post_deleted" events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. This issue affects versions through 7.1.5 and 7.2.0 through 7.7.1.

  • LOW
  • NONE
  • NONE
  • LOW
  • HIGH
  • NONE

CWE-668 - Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Advisory Timeline

  • Published