CVE-2023-35075 Information

Description

Mattermost fails to use  innerText / textContent when setting the channel name in the webapp during autocomplete allowing an attacker to inject HTML to a victim’s page by create a channel name that is valid HTML. No XSS is possible though. 

Reference

https://mattermost.com/security-updates