CVE-2016-11083: Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution

May 24, 2022 (updated October 22, 2025)

An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.

References

github.com/advisories/GHSA-rm24-25xm-9454
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/480308b7029a04cf41d0e9e7cd68b52dc2138e98
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2016-11083

Code Behaviors & Features

Detect and mitigate CVE-2016-11083 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →