CVE-2022-1002: 
Mattermost vulnerability analysis and mitigation

Mattermost version 6.3.0 and earlier contains a security vulnerability related to improper HTML sanitization in email invitations. The vulnerability, identified as CVE-2022-1002, allows registered users with special permissions to inject unescaped HTML content in email invitations sent to guest users (NVD, CVE Mitre).

The vulnerability is classified as a Cross-site Scripting (XSS) issue, specifically CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). The CVSS v3.1 base score is 5.4 (Medium) according to NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. However, Mattermost's own assessment rates it lower at 2.0 (Low) with a vector string of CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows attackers with valid user credentials and special permissions to inject unescaped HTML content in email invitations sent to guest users. This could potentially lead to cross-site scripting attacks when guest users interact with the malicious email content (NVD).

The vulnerability has been fixed in Mattermost version 6.4.0. Users are advised to upgrade to this version or later to mitigate the risk (Mattermost Advisory).