{"id":"GHSA-h3qg-w9j5-wh3m","summary":"Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener`","details":"An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.","aliases":["CVE-2016-11071","GO-2025-4058"],"modified":"2025-11-05T19:57:22.103691Z","published":"2022-05-24T17:21:01Z","database_specific":{"github_reviewed_at":"2025-10-22T20:56:50Z","nvd_published_at":"2020-06-19T20:15:00Z","severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-79"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11071"},{"type":"PACKAGE","url":"https://github.com/mattermost/mattermost"},{"type":"WEB","url":"https://mattermost.com/security-updates"}],"affected":[{"package":{"name":"github.com/mattermost/mattermost-server","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.1.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h3qg-w9j5-wh3m/GHSA-h3qg-w9j5-wh3m.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}