CVE-2023-47168: 
Mattermost vulnerability analysis and mitigation

Mattermost, a collaboration platform, was found to contain an open redirect vulnerability (CVE-2023-47168) that was disclosed on November 27, 2023. The vulnerability exists in the platform's OAuth implementation where the system fails to properly validate redirect URL parameters. This affects Mattermost versions up to 7.8.12, versions 8.0.0 through 8.1.3, versions 9.0.0 through 9.0.1, and version 9.1.0 (NVD).

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site). The issue occurs specifically when users click the "Back to Mattermost" button after providing an invalid custom URL scheme in the /oauth/{service}/mobilelogin?redirectto= endpoint. The CVSS v3.1 base score is 6.1 (Medium) according to NVD's assessment, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Mattermost's own assessment rated it at 4.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows for an open redirect attack, which could potentially lead to phishing attacks by redirecting users to malicious websites. The impact is considered medium severity, with potential for limited confidentiality and integrity breaches, though no direct impact on system availability (NVD).

Users should upgrade to the latest version of Mattermost that contains the fix for this vulnerability. The issue has been addressed in subsequent releases after the affected versions (Vendor Advisory).