CVE-2016-11079
Description
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | < 3.0.0 | 3.0.0 |
Affected products
3- Mattermost/Serverdescription
- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 3.0.0+ 1 more
- (no CPE)range: < 3.0.0
- (no CPE)range: < 0.0.20251105T184115-1.1
Patches
Vulnerability mechanics
Root cause
"Missing input neutralization of user-controllable redirect URL allows injection of arbitrary JavaScript into a web page."
Attack vector
An attacker can craft a malicious redirect URL containing JavaScript payload. When a user follows the crafted link, the Mattermost server does not properly neutralize the user-controllable input before placing it in the web page output, leading to cross-site scripting [CWE-79]. The advisory does not specify the exact endpoint or parameter involved, but the vulnerability is present in Mattermost Server before version 3.0.0.
Affected code
The patch touches `store/sql_user_store.go`, `store/store.go`, `api/team.go`, and `store/sql_user_store_test.go`. The core change adds a `UpdateUpdateAt` method to the `UserStore` interface and its SQL implementation, and calls it from `JoinUserToTeam` in `api/team.go`. A `LIMIT 1` is also added to a query in `GetEtagForDirectProfiles`. However, the advisory states the vulnerability is XSS via a redirect URL, and the patch does not show any redirect URL handling code, so the exact file path of the XSS is not visible in the supplied patch.
What the fix does
The supplied patch does not contain a fix for the XSS via redirect URL. The patch instead adds a `UpdateUpdateAt` method to the `UserStore` and calls it when joining a user to a team, and adds `LIMIT 1` to a query in `GetEtagForDirectProfiles`. These changes appear unrelated to XSS. The advisory states the issue was fixed in Mattermost Server 3.0.0, but no corresponding fix diff is present in the bundle.
Preconditions
- inputThe attacker must be able to supply a redirect URL that the Mattermost server will process.
- networkThe victim must click or be redirected to the crafted URL.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-2j9c-76pp-xc5qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-11079ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
- mattermost.com/security-updates/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.