Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).
Vulnerable versions of Mattermost Server do not verify whether the token used during OAuth code exchange (endpoint /users/login/sso/code-exchange) originates from the same authentication flow that generated it. An attacker, being a logged-in user, can submit a specially crafted email address while switching authentication methods, and then send a request to the mentioned endpoint with a token from outside the original flow. Exploiting the vulnerability requires that the ExperimentalEnableAuthenticationTransfer option be enabled in the server configuration (default: enabled) and that RequireEmailVerification be disabled (default: disabled).
An authenticated attacker can take over control of any user account (account takeover), leading to complete compromise of confidentiality, integrity, and availability of data accessible from the compromised account.
Update Mattermost Server to the patched versions indicated by the vendor (details: https://mattermost.com/security-updates). Until the patch is deployed, it is recommended to disable the ExperimentalEnableAuthenticationTransfer option in the server configuration or enable RequireEmailVerification, which eliminates the conditions necessary to exploit the vulnerability.
Mattermost Server in versions: 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMattermost Server
APPMattermost10.5.0 – 10.5.13 (bez)10.11.0 – 10.11.5 (bez)10.12.0 – 10.12.2 (bez)11.0.0 – 11.0.3 (bez)
Related vulnerabilities
Mattermost Server: przejęcie konta przez błędną walidację OAuth state token
Mattermost Server: path traversal w ekstraktorze archiwów umożliwia RCE
Mattermost Server — path traversal przy imporcie tablic (Boards)
Mattermost Server: path traversal przy duplikowaniu bloków w Boards
SQL Injection w Mattermost Server — podatność przy zmianie kolejności tablic