Description
Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low
Affected products
- Mattermost / Mattermost App Framework0 – 7.8.4
- Mattermost / Mattermost App Framework0 – 7.9.3
- Mattermost / Mattermost App Framework7.10.0 – 7.10.0
- Mattermost / Mattermost App Frameworkv7.8.5 – v7.8.5
- Mattermost / Mattermost App Frameworkv7.9.4 – v7.9.4
- Mattermost / Mattermost App Frameworkv7.10.1 – v7.10.1