CVE-2023-2788: Deactivated user can retain access using oauth2 api

6.2 CVSS

Description

Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated.

Classification

CVE ID: CVE-2023-2788

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.2

Affected Products

Vendor: Mattermost

Product: Mattermost

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 26.93% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://mattermost.com/security-updates/

Timeline

2024-12-07 00:30:53 UTC
CVE

Deactivated user can retain access using oauth2 api