CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-29215 – Slash commands run in channel without channel membership via playbook task commands
https://notcve.org/view.php?id=CVE-2024-29215
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access control which allows a user to run a slash command in a channel they are not a member of via linking a playbook run to that channel and running a slash command as a playbook task command. Las versiones de Mattermost 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 no aplican el control de acceso adecuado que permite a un usuario ejecutar un comando de barra diagonal en... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-5270 – SAML to email switch possible when email signin is disabled
https://notcve.org/view.php?id=CVE-2024-5270
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider. Las versiones de Mattermost 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 y 8.1.x <= 8.1.12 no verifican si la opció... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-34029 – AD/LDAP Group Members Leak
https://notcve.org/view.php?id=CVE-2024-34029
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x <= 8.1.12 fail to perform a proper authorization check in the /api/v4/groups/