Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a CVE vulnerability ID? 
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
New vulnerability? Tell us about it!
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2021-37866
Date: January 18, 2022
Overview
Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.Details
In Mattermost Focalboard, versions prior to v0.7.5, v0.8.4, v0.9.5, v0.10.1 and v0.11.0-rc1; as used respectively in Mattermost, versions prior to v5.37.6, v5.39.3, v6.0.4, v6.1.1 and v6.2.0, are vulnerable to Insufficient Session Expiration. When a user initiates a logout, their session is not invalidated properly. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, to completely take over a victim account.Focalboard is an open source, self-hosted project management tool that helps define, organize, track and manage work across individuals and teams.
It is included within the Mattermost Server install.
Affected versions of Focalboard, do not properly invalidate a user’s session even after the user has initiated logout.
User sessions are stored in the browser’s local storage which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques like XSS attacks.
Impact: An attacker can use previously used or available session token to takeover and login as a user in the application.
Mattermost Server was updated with the fixed Focalboard versions in the following commits:
https://github.com/mattermost/mattermost-server/commit/0a042ca05fefa0584045bab1b7dae102360c98c5\t
https://github.com/mattermost/mattermost-server/commit/5f7fd34956ad5bf7e3697a920e377e11c16dda06\t
https://github.com/mattermost/mattermost-server/commit/6a4c881450973284c3ed98f39bde4809ddd8a758\t
https://github.com/mattermost/mattermost-server/commit/74e87ec3e623202a9654ae164e834cfe26dd6ec3\t
https://github.com/mattermost/mattermost-server/commit/7bc182de9eebb708d62b828213144a1aa4560fa0
PoC Details
Access the application by going to http://localhost/login and login.Go to “inspect element”, “localstorage” and copy the Focalboard session, then logout.
Now go to “inspect element”, “localstorage” and click the '+' symbol and add the tokens again.
Navigate to the root of the web server, and see you are logged in.
Affected Environments
Focalboard prior to v0.11.0, v0.10.1, v0.9.5, v0.8.4, v0.7.5, as used in Mattermost prior to v6.2.0, v6.1.1, v6.0.4, v5.39.3, v5.37.6, respectively.Prevention
Update to Focalboard (Mattermost Server):v0.11.0 (v6.2.0)
v0.10.1 (v6.1.1)
v0.9.5 (v6.0.4)
v0.8.4 (v5.39.3)
v0.7.5 (v5.37.6)
Language: Go
Good to know:
| Base Score: |
|
|---|---|
| Attack Vector (AV): | Local |
| Attack Complexity (AC): | High |
| Privileges Required (PR): | None |
| User Interaction (UI): | Required |
| Scope (S): | Unchanged |
| Confidentiality (C): | High |
| Integrity (I): | None |
| Availability (A): | None |
| Base Score: |
|
|---|---|
| Access Vector (AV): | Network |
| Access Complexity (AC): | Low |
| Authentication (AU): | None |
| Confidentiality (C): | Partial |
| Integrity (I): | None |
| Availability (A): | None |
| Additional information: |