You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
Mattermost does not strip embeds from metadata when broadcasting posted events.
This allows users to include arbitrary embeds in posts, which are then broadcasted via websockets. This can be exploited in many ways, for example to create permalinks with fully customizable content or to trigger a client Side Denial of Service (DoS) by sending a permalink with a non-string message.
The advisory metadata references the appropriate go pseudo version available from pkg.go.dev
Advisory GHSA-59hf-mpf8-pqjh references a vulnerability in the following Go modules:
Description:
Mattermost does not strip
embeds
frommetadata
when broadcastingposted
events.This allows users to include arbitrary embeds in posts, which are then broadcasted via websockets. This can be exploited in many ways, for example to create permalinks with fully customizable content or to trigger a client Side Denial of Service (DoS) by sending a permalink with a non-string message.
The advisory metadata references the appropriate go pseudo version available from pkg.go.dev
References:
Cross references:
See doc/quickstart.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: