CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39807 – Channel IDs of archived/restored channels leaked via webhook events
https://notcve.org/view.php?id=CVE-2024-39807
03 Jul 2024 — Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels. Las versiones 9.5.x <= 9.5.5 y 9.8.0 de Mattermost no sanitizan adecuadamente a los destinatarios de un evento de webhook, lo que permite a un atacante monitorear eventos de webhook para recuperar las ID de los canales archivados o restaurados. Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 f... • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-36257 – Lack of permission check when updating the profile picture of a remote user (shared channels enabled)
https://notcve.org/view.php?id=CVE-2024-36257
03 Jul 2024 — Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. Las versiones 9.5.x <= 9.5.5 y 9.8.0 de Mattermost, cuando se utilizan canales compartidos... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-29215 – Slash commands run in channel without channel membership via playbook task commands
https://notcve.org/view.php?id=CVE-2024-29215
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access control which allows a user to run a slash command in a channel they are not a member of via linking a playbook run to that channel and running a slash command as a playbook task command. Las versiones de Mattermost 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 no aplican el control de acceso adecuado que permite a un usuario ejecutar un comando de barra diagonal en... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36255 – Post actions can run playbook checklist task commands
https://notcve.org/view.php?id=CVE-2024-36255
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly runs a slash command in some arbitrary channel. Las versiones de Mattermost 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 y 8.1.x <= 8.1.12 no realizan una validación de entrada adecuada en las acciones posteriores, lo que permite a un atacan... • https://mattermost.com/security-updates • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36241 – /playbook add slash command allows viewing arbitrary post contents
https://notcve.org/view.php?id=CVE-2024-36241
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access controls which allows user to view arbitrary post contents via the /playbook add slash command Las versiones 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 y 8.1.x <= 8.1.12 de Mattermost no aplican controles de acceso adecuados que permiten al usuario ver contenidos de publicaciones arbitrarias mediante el comando /playbook add slash Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to en... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-31859 – Member promoted to channel admin via playbooks run linking to channel
https://notcve.org/view.php?id=CVE-2024-31859
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin Las versiones 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 y 8.1.x <= 8.1.12 de Mattermost no realizan las comprobaciones de autorización adecuadas, lo que permite que un miembro que ejecuta un libro de estrategias en un canal existente sea promovido a un administrador del canal • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-5270 – SAML to email switch possible when email signin is disabled
https://notcve.org/view.php?id=CVE-2024-5270
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider. Las versiones de Mattermost 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 y 8.1.x <= 8.1.12 no verifican si la opció... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-5272 – Run Details leak to guest via webhook event "custom_playbooks_playbook_run_updated"
https://notcve.org/view.php?id=CVE-2024-5272
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished. Las versiones 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 de Mattermost no restringen la audiencia del evento de webhook "custom_playbooks_playbook_run_updated", que permite a un invitado en un canal... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-32045 – Playbook run link to private channel grants channel access
https://notcve.org/view.php?id=CVE-2024-32045
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of. Las versiones 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 de Mattermost no aplican controles de acceso adecuados para la membresía del canal y del equipo al vincular la ejecución de un libro de jugadas a un canal que permite a los mi... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-34152 – Playbook Run Metadata leak to Guest
https://notcve.org/view.php?id=CVE-2024-34152
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper access control which allows a guest to get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRuns GraphQL query request to the server Las versiones de Mattermost 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 y 8.1.x <= 8.1.12 no realizan el control de acceso adecuado que permite a un invitado obtener los metadatos de una ejecución de libro de jugadas público que se vincula ... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •