CVE-2023-5968 – github.com/mattermost/mattermost-server/v6

Package

Manager: go
Name: github.com/mattermost/mattermost-server/v6
Vulnerable Version: >=5.4.0-rc1 <7.8.12 || >=0 <5.3.2-0.20230825233148-f787fd63368a

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00144 pctl0.3531

Details

Mattermost password hash disclosure vulnerability Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. 

Metadata

Created: 2023-11-06T18:30:19Z
Modified: 2025-07-22T17:17:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-r67m-mf7v-qp7j/GHSA-r67m-mf7v-qp7j.json
CWE IDs: ["CWE-116", "CWE-200"]
Alternative ID: GHSA-r67m-mf7v-qp7j
Finding: F038
Auto approve: 1