CVE-2023-2788

Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated.

Published: Jun 16, 2023
Updated: Jun 27, 2023
CVE: CVE-2023-2788
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWEs:

CWE-613

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
mattermost / mattermost	7.9.0	7.9.3.x
mattermost / mattermost	7.8.0	7.8.4.x
mattermost / mattermost	7.1.0	7.1.9.x
mattermost / mattermost	7.10.0	7.10.0.x

https://mattermost.com/security-updates/

Vulnerability Database

289,871

CVE-2023-2788