Improper Authorization in Mattermost Boards Allows Guest Users to Access User Information

Improper Authorization in Mattermost Boards Allows Guest Users to Access User Information

CVE-2023-6202 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards.

Learn more about our Api Penetration Testing.