Mattermost Reaction Forwarding Vulnerability in GitHub Plugin Allowing Reaction Hijacking

A vulnerability exists in Mattermost versions 10.11.x prior to 10.11.6 and in Mattermost GitHub plugin versions through 2.4.0. These versions fail to properly validate the identity of plugin bots when forwarding reactions. This oversight enables attackers to exploit the GitHub reaction feature, manipulating users into adding reactions to arbitrary GitHub objects through specially crafted notification posts.

Impact

Exploitation of this vulnerability allows for the unauthorized manipulation of GitHub reactions, potentially leading to misinformation or disruption of normal workflow by artificially inflating or deflating the perceived importance of GitHub objects.

Remediation

Users can upgrade to Mattermost version 10.11.7 or later, or to version 11.1.011.0.510.12.310.11.7. For the GitHub plugin, users should update to version 2.4.1 or later.