← back
CVE-2024-32046

Detailed error discloses full file path with dev mode off

CVSS 4.3 MEDIUMEPSS 0.5%CWE-200
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.3EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
26 Apr 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Affected products
Mattermost · Mattermost

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://mattermost.com/security-updates