Description
Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected products
- Mattermost / Mattermost Boardsunspecified – 0.10.0
- Mattermost / Mattermost Boards0.9.5 – unspecified
- Mattermost / Mattermost Boards0.8.4 – unspecified
- Mattermost / Mattermost Boards0.7.5 – unspecified