Page 5 of 55 results (0.006 seconds)

CVSS: 2.7EPSS: 0%CPEs: 2EXPL: 0

Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •

CVSS: 4.1EPSS: 0%CPEs: 4EXPL: 0

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •

CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled,  which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels • https://mattermost.com/security-updates • CWE-284: Improper Access Control •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •

CVSS: 3.8EPSS: 0%CPEs: 2EXPL: 0

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •