Compliance Impact

The vulnerability in Mattermost versions 11.5.x <= 11.5.1 and 10.11.x <= 10.11.13 allows an attacker with access to edit some site configuration to inject malicious JavaScript code via unescaped variables during error page composition. This could lead to limited confidentiality and integrity impacts as indicated by the CVSS score (Confidentiality: Low, Integrity: Low).

However, there is no specific information provided about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

This vulnerability affects Mattermost versions 11.5.x up to 11.5.1 and 10.11.x up to 10.11.13. It occurs because some variables that may contain malicious content are not properly escaped during the composition of error pages. An attacker who has access to edit certain site configuration values can inject malicious JavaScript code into these variables, which then gets executed when the error page is displayed.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an attacker with permission to edit some site configuration to execute malicious JavaScript code in the context of the Mattermost application. This can lead to limited impacts such as information disclosure or manipulation of the user interface, as indicated by the CVSS score which reflects low confidentiality and integrity impacts but no availability impact.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mattermost to a version later than 11.5.1 for the 11.5.x series or later than 10.11.13 for the 10.11.x series, as these versions fix the issue with unescaped variables that allow malicious code injection.

Additionally, restrict access to site configuration editing to trusted administrators only, since the vulnerability requires such access to exploit.

Useful 0 Not Useful 0