CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2024-39777 – Malicious remote can invite itself to an arbitrary local channel
https://notcve.org/view.php?id=CVE-2024-39777
01 Aug 2024 — Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin. Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access ... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 8.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-39274 – Malicious remote can add users to arbitrary teams and channels
https://notcve.org/view.php?id=CVE-2024-39274
01 Aug 2024 — Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, w... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-36492 – Existing local user overwritten by malicious remote
https://notcve.org/view.php?id=CVE-2024-36492
01 Aug 2024 — Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29977 – Malicious remote can create arbitrary reactions on arbitrary posts
https://notcve.org/view.php?id=CVE-2024-29977
01 Aug 2024 — Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts • https://mattermost.com/security-updates • CWE-284: Improper Access Control •