CVE-2023-2808: 
Mattermost vulnerability analysis and mitigation

Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link. This vulnerability is tracked as CVE-2023-2808 and affects Mattermost versions from 5.34.0 up to 7.1.9, 7.2.0 up to 7.8.4, and 7.9.0 up to 7.9.3 (NVD).

The vulnerability is related to improper input validation (CWE-20) in the link preview generation mechanism. It has received a CVSS v3.1 base score of 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N from NIST, while Mattermost assessed it with a score of 4.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows attackers to bypass domain restrictions for link previews by using specially crafted URLs containing confusable UTF characters. This could potentially lead to information disclosure by generating previews for otherwise restricted domains (NVD).

Users should upgrade to the fixed versions: 7.1.9, 7.8.4, or 7.9.3 depending on their current version track (NVD, Mattermost Updates).