CVE-2017-18908: Mattermost Server password reset email requests can be sent to attacker-provided email addresses

Severity: Critical

CVSS Score: 9.8

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address.