CVE-2025-13523 PUBLISHED

Cross-Site Scripting (XSS) via Unescaped Display Names in Mattermost Confluence Plugin OAuth2 Flow

Assigner: Mattermost
Reserved: 21.11.2025 Published: 06.02.2026 Updated: 06.02.2026

Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS Score: 7.7

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Mattermost
Product	Mattermost Confluence Plugin
Versions	Default: unaffected affected from 0 to 1.7.0 (excl.) Version 1.7.0 is unaffected

Solutions

Update Mattermost Confluence plugin to versions 1.7.0 or higher.

Credits

daw10 finder

References

MMSA-2025-00557

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE