Mattermost fails to use  innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though. 
References
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2023-11-27T09:09:19.659Z

Updated: 2024-08-02T16:23:58.680Z

Reserved: 2023-11-20T12:06:31.656Z

Link: CVE-2023-35075

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-11-27T10:15:07.257

Modified: 2024-11-21T08:07:55.753

Link: CVE-2023-35075

cve-icon Redhat

No data.