CVE-2024-39777 – Malicious remote can invite itself to an arbitrary local channel
https://notcve.org/view.php?id=CVE-2024-39777
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVE-2024-39274 – Malicious remote can add users to arbitrary teams and channels
https://notcve.org/view.php?id=CVE-2024-39274
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVE-2024-36492 – Existing local user overwritten by malicious remote
https://notcve.org/view.php?id=CVE-2024-36492
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVE-2024-29977 – Malicious remote can create arbitrary reactions on arbitrary posts
https://notcve.org/view.php?id=CVE-2024-29977
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts • https://mattermost.com/security-updates • CWE-284: Improper Access Control •