更新: 2423 个文件 - 2026-03-18 14:23:01

08-threat-intel/registry/advisories/mattermost--CVE-2026-4265.json

@@ -0,0 +1,72 @@
+{
+  "canonical_id": "mattermost--CVE-2026-4265",
+  "system_id": "mattermost",
+  "display_name": "Mattermost",
+  "category": "platforms",
+  "advisory_mode": "core",
+  "title": "MMSA-2025-00553",
+  "summary": "(CWE-284) Fixed an issue where guest users could bypass team-specific upload_file permission restrictions by uploading files in teams where they had permission and then posting those files to channels in teams where they lacked the permission. Thanks to 0x7oda7123 for contributing to this improvement under the Mattermost responsible disclosure policy.",
+  "published_at": "2026-03-16",
+  "updated_at": "2026-03-16",
+  "severity": "medium",
+  "cvss_score": null,
+  "exploit_status": "unknown",
+  "source_confidence": "official",
+  "official_source_url": "https://securityupdates.mattermost.com/security_updates.json",
+  "secondary_source_urls": [],
+  "aliases": [
+    "MMSA-2025-00553",
+    "CVE-2026-4265"
+  ],
+  "cve_ids": [
+    "CVE-2026-4265"
+  ],
+  "ghsa_ids": [],
+  "osv_ids": [],
+  "affected_versions": [
+    "11.3.x <= 11.3.0",
+    "11.2.x <= 11.2.2",
+    "10.11.x <= 10.11.10"
+  ],
+  "fixed_versions": [
+    "11.4.0",
+    "11.3.1",
+    "11.2.3",
+    "10.11.11"
+  ],
+  "package_name": "Mattermost Server",
+  "render_markdown": true,
+  "case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-4265.md",
+  "secure_code_topics": [
+    "authz-server-side-recheck",
+    "xss-output-encoding",
+    "token-cookie-storage",
+    "file-upload-validation"
+  ],
+  "status": "generated",
+  "triage_reasons": [],
+  "verification_status": "triage-manual",
+  "verification_mode": "synthetic",
+  "last_verified_at": null,
+  "last_run_id": null,
+  "evidence_bundle": null,
+  "historical_status": null,
+  "latest_status": null,
+  "browser_evidence": {
+    "required": false,
+    "present": false,
+    "refs": []
+  },
+  "repro_profile_id": "xss-generic",
+  "artifact_mode": "synthetic",
+  "blocked_reason": null,
+  "metadata": {
+    "source_names": [
+      "Mattermost Security Updates JSON"
+    ],
+    "source_kinds": [
+      "json-feed"
+    ],
+    "candidate_count": 1
+  }
+}