CVE-2021-37859: 
Mattermost vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in OAuth-enabled instances of Mattermost. The vulnerability, identified as CVE-2021-37859, was related to a bypass of existing XSS protections. The issue affects Mattermost versions from 5.32.0 up to 5.34.5, 5.35.0 up to 5.35.4, and 5.36.0 up to 5.36.1 (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). According to the CVSS 3.1 scoring, the vulnerability received a base score of 6.1 (MEDIUM) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Mattermost assessed it with a higher severity score of 7.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L. The CVSS 2.0 base score was rated at 4.3 (MEDIUM) with vector (AV:N/AC:M/Au:N/C:N/I:P/A:N) (NVD).

The vulnerability could potentially allow attackers to execute cross-site scripting attacks against users of OAuth-enabled Mattermost instances, potentially leading to unauthorized access to user data and potential account compromise (NVD).

Users should upgrade to the fixed versions of Mattermost: version 5.34.5 or later for the 5.34.x series, version 5.35.4 or later for the 5.35.x series, or version 5.36.1 or later for the 5.36.x series (NVD).