Mattermost Account Takeover Vulnerability via Improper Token Verification in Authentication Transfer

A vulnerability allowing account takeover has been identified in Mattermost versions 11.0.x through 11.0.2, 10.12.x through 10.12.1, 10.11.x through 10.11.4, and 10.5.x through 10.5.12. The issue arises because these versions fail to properly verify that the token used during the code exchange process originates from the same authentication flow. This flaw enables an authenticated user to exploit the vulnerability by using a specially crafted email address when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability is only exploitable when the ExperimentalEnableAuthenticationTransfer feature is enabled (which is the default setting) and the RequireEmailVerification option is disabled (also the default setting).

Impact

Exploitation of this vulnerability allows for unauthorized account takeover.

Remediation

Users can upgrade to Mattermost versions 11.2.0, 10.12.2, 10.11.5, or 10.5.13 to address this vulnerability.