CVE-2023-48732 - Vulnerability Details - OpenCVE

Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.005.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mattermost	Mattermost Server

Configuration 1 [-]

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-0399	Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.
Github GHSA	GHSA-q7rx-w656-fwmv	Mattermost notified all users in the channel when using WebSockets to respond individually

Fixes

Solution

Update Mattermost Server to versions 8.1.7, 9.3.0 or higher.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://mattermost.com/security-updates

History

Tue, 03 Jun 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2024-01-02T09:52:01.147Z

Updated: 2025-06-03T14:45:52.518Z

Reserved: 2023-12-21T08:00:43.425Z

Link: CVE-2023-48732

Vulnrichment

Updated: 2024-08-02T21:37:54.700Z

NVD

Status : Modified

Published: 2024-01-02T10:15:08.487

Modified: 2024-11-21T08:32:20.653

Link: CVE-2023-48732

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-48732", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2023-12-21T08:00:43.425Z", "datePublished": "2024-01-02T09:52:01.147Z", "dateUpdated": "2025-06-03T14:45:52.518Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "8.1.6", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "unaffected", "version": "8.1.7"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Daniel Espino Garcia"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.</p>"}], "value": "Mattermost fails to scope the WebSocket response around notified users\u00a0to a each user separately resulting in the\u00a0WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-01-02T09:52:01.147Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost Server to versions 8.1.7, 9.3.0 or higher.</p>"}], "value": "Update Mattermost Server to versions 8.1.7, 9.3.0 or higher.\n\n"}], "source": {"advisory": "MMSA-2023-00243", "defect": ["https://mattermost.atlassian.net/browse/MM-54237"], "discovery": "INTERNAL"}, "title": "Keywords that trigger mentions are leaked to other users", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:37:54.700Z"}, "title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T15:57:37.615693Z", "id": "CVE-2023-48732", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-03T14:45:52.518Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:37:54.700Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-48732", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-08T15:57:37.615693Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T15:57:39.074Z"}}], "cna": {"title": "Keywords that trigger mentions are leaked to other users", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-54237"], "advisory": "MMSA-2023-00243", "discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Daniel Espino Garcia"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.1.6"}, {"status": "unaffected", "version": "8.1.7"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Server to versions 8.1.7, 9.3.0 or higher.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost Server to versions 8.1.7, 9.3.0 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Mattermost fails to scope the WebSocket response around notified users\u00a0to a each user separately resulting in the\u00a0WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-01-02T09:52:01.147Z"}}}, "cveMetadata": {"cveId": "CVE-2023-48732", "state": "PUBLISHED", "dateUpdated": "2025-06-03T14:45:52.518Z", "dateReserved": "2023-12-21T08:00:43.425Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-01-02T09:52:01.147Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4FFBD373-195D-4481-B87D-5B329DBEC33D", "versionEndExcluding": "8.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mattermost fails to scope the WebSocket response around notified users\u00a0to a each user separately resulting in the\u00a0WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.\n\n"}, {"lang": "es", "value": "Mattermost no logra abarcar la respuesta de WebSocket en torno a los usuarios notificados para cada usuario por separado, lo que hace que WebSocket transmita la informaci\u00f3n sobre qui\u00e9n fue notificado sobre una publicaci\u00f3n a todos los dem\u00e1s en el canal."}], "id": "CVE-2023-48732", "lastModified": "2024-11-21T08:32:20.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-02T10:15:08.487", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}