2023-11-27 09:09:19
Mattermost
PUBLISHED
Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victims page by create a channel name that is valid HTML. No XSS is possible though.