CVSS: 8.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-39274 – Malicious remote can add users to arbitrary teams and channels
https://notcve.org/view.php?id=CVE-2024-39274
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-36492 – Existing local user overwritten by malicious remote
https://notcve.org/view.php?id=CVE-2024-36492
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 2.7EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29977 – Malicious remote can create arbitrary reactions on arbitrary posts
https://notcve.org/view.php?id=CVE-2024-29977
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39767 – Spoofed push notifications from malicious server
https://notcve.org/view.php?id=CVE-2024-39767
Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server’s diagnostic ID or server URL and have them show up in mobile apps as that server’s push notifications. Las versiones de Mattermost Mobile Apps <= 2.16.0 no pueden validar que las notificaciones automáticas recibidas para un servidor en realidad provienen de este servicio, lo que permite a un servidor malicioso enviar notificaciones automáticas con el ID de diagnóstico o la URL del servidor de otro servidor y hacer que aparezcan en el dispositivo móvil aplicaciones como las notificaciones push de ese servidor. • https://mattermost.com/security-updates • CWE-287: Improper Authentication •
CVSS: 2.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32945 – LaTeX post content manipulation via renderer state leak across contexts
https://notcve.org/view.php?id=CVE-2024-32945
Mattermost Mobile Apps versions <=2.16.0 fail to protect against abuse of a globally shared MathJax state which allows an attacker to change the contents of a LateX post, by creating another post with specific macro definitions. Las versiones de Mattermost Mobile Apps <= 2.16.0 no protegen contra el abuso de un estado MathJax compartido globalmente que permite a un atacante cambiar el contenido de una publicación de LateX mediante la creación de otra publicación con definiciones de macro específicas. • https://mattermost.com/security-updates • CWE-909: Missing Initialization of Resource •