CVSS: 8.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-39274 – Malicious remote can add users to arbitrary teams and channels
https://notcve.org/view.php?id=CVE-2024-39274
01 Aug 2024 — Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, w... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-36492 – Existing local user overwritten by malicious remote
https://notcve.org/view.php?id=CVE-2024-36492
01 Aug 2024 — Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29977 – Malicious remote can create arbitrary reactions on arbitrary posts
https://notcve.org/view.php?id=CVE-2024-29977
01 Aug 2024 — Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-6428 – Limited DoS due to permitting creating users with user-defined IDs
https://notcve.org/view.php?id=CVE-2024-6428
03 Jul 2024 — Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working. Las versiones de Mattermost 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 no evitan especificar un RemoteId al cr... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 3.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39353 – RemoteClusterFrame payloads are audit logged in full
https://notcve.org/view.php?id=CVE-2024-39353
03 Jul 2024 — Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to sanitize the RemoteClusterFrame payloads before audit logging them which allows a high privileged attacker with access to the audit logs to read message contents. Las versiones 9.5.x <= 9.5.5 y 9.8.0 de Mattermost no sanitizan los payloads de RemoteClusterFrame antes de registrarlas, lo que permite a un atacante con altos privilegios con acceso a los registros de auditoría leer el contenido de los mensajes. • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-39361 – Creating posts with user-defined IDs permitted in CreatePost API
https://notcve.org/view.php?id=CVE-2024-39361
03 Jul 2024 — Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts Las versiones de Mattermost 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 y 9.5.x <= 9.5.5 no evitan que los usuarios especifiquen un RemoteId para sus ... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-39830 – Timing attack during remote cluster token comparison when shared channels are enabled
https://notcve.org/view.php?id=CVE-2024-39830
03 Jul 2024 — Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use constant time comparison for remote cluster tokens which allows an attacker to retrieve the remote cluster token via a timing attack during remote cluster token comparison. Las versiones de Mattermost 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 y 9.5.x <= 9.5.5, cuando los canales compartidos están habilitados, no pueden usar la comparación de tiempo constante p... • https://mattermost.com/security-updates • CWE-203: Observable Discrepancy CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39807 – Channel IDs of archived/restored channels leaked via webhook events
https://notcve.org/view.php?id=CVE-2024-39807
03 Jul 2024 — Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels. Las versiones 9.5.x <= 9.5.5 y 9.8.0 de Mattermost no sanitizan adecuadamente a los destinatarios de un evento de webhook, lo que permite a un atacante monitorear eventos de webhook para recuperar las ID de los canales archivados o restaurados. Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 f... • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-36257 – Lack of permission check when updating the profile picture of a remote user (shared channels enabled)
https://notcve.org/view.php?id=CVE-2024-36257
03 Jul 2024 — Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. Las versiones 9.5.x <= 9.5.5 y 9.8.0 de Mattermost, cuando se utilizan canales compartidos... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-29215 – Slash commands run in channel without channel membership via playbook task commands
https://notcve.org/view.php?id=CVE-2024-29215
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access control which allows a user to run a slash command in a channel they are not a member of via linking a playbook run to that channel and running a slash command as a playbook task command. Las versiones de Mattermost 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 no aplican el control de acceso adecuado que permite a un usuario ejecutar un comando de barra diagonal en... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •