CVE-2016-11071
Description
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | < 3.1.0 | 3.1.0 |
Affected products
3- Mattermost/Serverdescription
- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 3.1.0+ 1 more
- (no CPE)range: < 3.1.0
- (no CPE)range: < 0.0.20251105T184115-1.1
Patches
Vulnerability mechanics
Root cause
"Missing `noreferrer` and `noopener` attributes on links allow a target page to access the opener window's context, enabling cross-site scripting."
Attack vector
An attacker can inject malicious JavaScript into a web page that is served to other users because Mattermost Server before 3.1.0 did not apply `noreferrer` and `noopener` protections on links [CWE-79]. When a victim clicks a crafted link (e.g., in a chat message or system notification), the linked page gains access to the opener window's context via `window.opener`, enabling cross-site scripting attacks. The advisory does not detail the exact payload shape or which input fields are exploitable.
Affected code
The patch touches `webapp/components/admin_console/storage_settings.jsx` and `webapp/components/create_post.jsx`. The storage settings file removes the `maxFileSize` state variable and its associated UI setting, while the create post file adds a call to `PostStore.removePendingPost` after a successful post creation. However, the CVE description states the issue is that "noreferrer and noopener protection mechanisms were not in place," which is not visible in these patch diffs — the advisory does not specify which files contain the missing protections.
What the fix does
The provided patch [patch_id=2247328] comments out the `maxFileSize` setting in the admin console and fixes a pending post removal issue, but these changes do not address the missing `noreferrer` and `noopener` protections described in the CVE. The advisory states that the fix was applied in Mattermost Server 3.1.0, but the patch bundle does not contain the actual security fix for the XSS vulnerability. Without the relevant diff, the remediation cannot be explained from this patch alone.
Preconditions
- inputThe attacker must be able to post or inject a link into a Mattermost channel or message that other users will view.
- inputThe victim must click the crafted link while using a browser that supports window.opener.
- configThe Mattermost server must be running a version before 3.1.0.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-h3qg-w9j5-wh3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-11071ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
- mattermost.com/security-updates/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.