CVE-2024-39839 – Remote username set to an arbitrary string by remote user
https://notcve.org/view.php?id=CVE-2024-39839
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVE-2024-39837 – Malicious remote can create arbitrary channels
https://notcve.org/view.php?id=CVE-2024-39837
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVE-2024-39832 – Permanently local data deletion by malicious remote
https://notcve.org/view.php?id=CVE-2024-39832
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled. • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVE-2024-39777 – Malicious remote can invite itself to an arbitrary local channel
https://notcve.org/view.php?id=CVE-2024-39777
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVE-2024-39274 – Malicious remote can add users to arbitrary teams and channels
https://notcve.org/view.php?id=CVE-2024-39274
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels • https://mattermost.com/security-updates • CWE-284: Improper Access Control •