CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-29215 – Slash commands run in channel without channel membership via playbook task commands
https://notcve.org/view.php?id=CVE-2024-29215
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access control which allows a user to run a slash command in a channel they are not a member of via linking a playbook run to that channel and running a slash command as a playbook task command. Las versiones de Mattermost 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 no aplican el control de acceso adecuado que permite a un usuario ejecutar un comando de barra diagonal en... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36255 – Post actions can run playbook checklist task commands
https://notcve.org/view.php?id=CVE-2024-36255
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly runs a slash command in some arbitrary channel. Las versiones de Mattermost 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 y 8.1.x <= 8.1.12 no realizan una validación de entrada adecuada en las acciones posteriores, lo que permite a un atacan... • https://mattermost.com/security-updates • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36241 – /playbook add slash command allows viewing arbitrary post contents
https://notcve.org/view.php?id=CVE-2024-36241
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access controls which allows user to view arbitrary post contents via the /playbook add slash command Las versiones 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 y 8.1.x <= 8.1.12 de Mattermost no aplican controles de acceso adecuados que permiten al usuario ver contenidos de publicaciones arbitrarias mediante el comando /playbook add slash Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to en... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-31859 – Member promoted to channel admin via playbooks run linking to channel
https://notcve.org/view.php?id=CVE-2024-31859
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin Las versiones 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 y 8.1.x <= 8.1.12 de Mattermost no realizan las comprobaciones de autorización adecuadas, lo que permite que un miembro que ejecuta un libro de estrategias en un canal existente sea promovido a un administrador del canal • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-5270 – SAML to email switch possible when email signin is disabled
https://notcve.org/view.php?id=CVE-2024-5270
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider. Las versiones de Mattermost 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 y 8.1.x <= 8.1.12 no verifican si la opció... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-5272 – Run Details leak to guest via webhook event "custom_playbooks_playbook_run_updated"
https://notcve.org/view.php?id=CVE-2024-5272
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished. Las versiones 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 de Mattermost no restringen la audiencia del evento de webhook "custom_playbooks_playbook_run_updated", que permite a un invitado en un canal... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-32045 – Playbook run link to private channel grants channel access
https://notcve.org/view.php?id=CVE-2024-32045
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of. Las versiones 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 de Mattermost no aplican controles de acceso adecuados para la membresía del canal y del equipo al vincular la ejecución de un libro de jugadas a un canal que permite a los mi... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-34152 – Playbook Run Metadata leak to Guest
https://notcve.org/view.php?id=CVE-2024-34152
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper access control which allows a guest to get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRuns GraphQL query request to the server Las versiones de Mattermost 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 y 8.1.x <= 8.1.12 no realizan el control de acceso adecuado que permite a un invitado obtener los metadatos de una ejecución de libro de jugadas público que se vincula ... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-34029 – AD/LDAP Group Members Leak
https://notcve.org/view.php?id=CVE-2024-34029
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x <= 8.1.12 fail to perform a proper authorization check in the /api/v4/groups/
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-4198
https://notcve.org/view.php?id=CVE-2024-4198
26 Apr 2024 — Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests. Las versiones de Mattermost 9.6.0, 9.5.x anteriores a 9.5.3 y 8.1.x anteriores a 8.1.12 no validan completamente los cambios de roles, lo que permite a un atacante autenticado como administrador del equipo degradar a los usuarios a invitados a través de solicitudes HTTP manipuladas. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •