0X7Oda7123

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 11.6.0 through 11.6.1 Mattermost versions 11.5.0 through 11.5.4 Mattermost versions 10.11.0 through 10.11.16 **Description** An issue exists where the system fails to enforce the `PermissionInviteUser` check when setting `AllowOpenInvite` or `AllowedDomains` during the creation of a team. This occurs because the permission check was only applied during update or patch operations. Consequently, an authenticated user with `PermissionCreateTeam` but without `PermissionInviteUser` can configure invite-controlled settings, such as making a team publicly joinable via open invite or constraining membership through allowed domains. This is achievable via the 'POST /api/v4/teams' endpoint by including `allow open invite: true` and/or a non-empty `allowed domains` in the request body. **Recommendations** Update Mattermost versions 11.6.0 through 11.6.1 to a version later than 11.6.1. Update Mattermost versions 11.5.0 through 11.5.4 to a version later than 11.5.4. Update Mattermost versions 10.11.0 through 10.11.16 to a version later than 10.11.16.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions prior to 11.6.2 Mattermost versions prior to 11.5.5 Mattermost versions prior to 10.11.17 **Description** An issue exists where `role updated` websocket event broadcasts are not restricted to members of the affected team or channel. This allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of through the websocket connection. **Recommendations** Update to version 11.6.2 or later. Update to version 11.5.5 or later. Update to version 10.11.17 or later.

**Name of the Vulnerable Software and Affected Versions** Mattermost version 11.5.1 **Description** An issue exists where the system fails to validate the team-level `run create` permission against the target team during the creation of a playbook run. This allows an authenticated team member to create runs in teams where they lack the necessary permissions by specifying a different team ID in the run creation API request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 11.5.0 through 11.5.1 Mattermost versions 10.11.0 through 10.11.13 Mattermost versions 11.4.0 through 11.4.3 **Description** An issue exists where public/private permissions are not properly verified, allowing members who lack these permissions to access public playbooks through the '/get' endpoint. **Recommendations** Update Mattermost versions 11.5.0 through 11.5.1 to a version newer than 11.5.1. Update Mattermost versions 10.11.0 through 10.11.13 to a version newer than 10.11.13. Update Mattermost versions 11.4.0 through 11.4.3 to a version newer than 11.4.3. As a temporary workaround, restrict access to the '/get' endpoint to minimize the risk of unauthorized playbook access.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 11.5.0 through 11.5.1 Mattermost versions 10.11.0 through 10.11.13 **Description** An issue exists where the system fails to verify if the `team id` is modified during playbook updates. This allows users possessing only the `Manage Playbook Configurations` permission to change the team associated with a playbook, thereby bypassing restrictions intended to manage members via the 'PUT' API endpoint. **Recommendations** Update Mattermost versions 11.5.0 through 11.5.1 to a version later than 11.5.1. Update Mattermost versions 10.11.0 through 10.11.13 to a version later than 10.11.13.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 11.5.0 through 11.5.1 Mattermost versions 10.11.0 through 10.11.13 Mattermost versions 11.4.0 through 11.4.3 **Description** An issue exists where the software fails to verify the `create post` channel permission during post edit operations. This allows an authenticated attacker who has had their posting privileges revoked to modify their existing posts by sending direct API requests to the post update and patch endpoints. **Recommendations** Update versions 11.5.0 through 11.5.1 to a version newer than 11.5.1. Update versions 10.11.0 through 10.11.13 to a version newer than 10.11.13. Update versions 11.4.0 through 11.4.3 to a version newer than 11.4.3.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.x through 10.11.10 Mattermost versions 11.2.x through 11.2.2 Mattermost versions 11.3.x through 11.3.0 **Description** Mattermost fails to properly validate team-specific upload permissions. This allows a guest user to post files in channels where they do not have upload permissions. The issue occurs by uploading files in a team where the user has permission, then reusing the file metadata in a POST request to a different team. The `upload file` permission is not correctly enforced across teams, leading to potential unauthorized file uploads. **Recommendations** Update Mattermost to a version beyond 10.11.10. Update Mattermost to a version beyond 11.2.2. Update Mattermost to a version beyond 11.3.0.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 11.2.0 through 11.2.2 Mattermost versions 11.3.0 **Description** The software does not properly verify the `run create` permission when a `playbookId` is empty. This allows team members to create unauthorized runs through the playbook run API. The vulnerable component is located in github.com/mattermost/mattermost-plugin-playbooks. The API endpoint used for exploitation is the playbook run API. The vulnerable parameter is `playbookId`. **Recommendations** Update Mattermost to a version later than 11.2.2. Update Mattermost to a version later than 11.3.0.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.x through 10.11.10 Mattermost versions 11.2.x through 11.2.2 Mattermost versions 11.3.x through 11.3.0 **Description** The software does not correctly check team membership when searching for channels. This allows a team member who has been removed to list all public channels within a private team by using the channel search API endpoint `/api/channels/search`. The issue affects Mattermost versions 10.11.x through 10.11.10, 11.2.x through 11.2.2, and 11.3.x through 11.3.0. **Recommendations** Update Mattermost to a version later than 10.11.10. Update Mattermost to a version later than 11.2.2. Update Mattermost to a version later than 11.3.0.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.0 through 10.11.10 Mattermost versions 11.2.0 through 11.2.2 Mattermost versions 11.3.0 **Description** Mattermost does not correctly enforce read permissions in the search API endpoints. This allows guest users without read permissions to access posts and files in channels by making requests to the search API. The vulnerable API endpoints are not explicitly specified. The `search API` is affected. The vulnerable parameter is not specified. **Recommendations** Mattermost versions 10.11.0 through 10.11.10 should be updated. Mattermost versions 11.2.0 through 11.2.2 should be updated. Mattermost version 11.3.0 should be updated.

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.5.x through 10.5.3 Mattermost versions 9.11.x through 9.11.11 Description: The issue arises when a user lacks access to `ExperimentalSettings`, causing the system to fail in checking the `RestrictSystemAdmin` setting. This allows a System Manager to access `ExperimentSettings` even when `RestrictSystemAdmin` is set to true, which can be done via the System Console. Recommendations: For Mattermost versions 10.5.x through 10.5.3, update to a version later than 10.5.3 to resolve the issue. For Mattermost versions 9.11.x through 9.11.11, update to a version later than 9.11.11 to resolve the issue. As a temporary workaround, consider restricting access to `ExperimentSettings` for System Managers until a patch is available.

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.6.x through 10.6.1 Mattermost versions 10.5.x through 10.5.2 Mattermost versions 10.4.x through 10.4.4 Mattermost versions 9.11.x through 9.11.11 Description: The issue arises from incorrect permission checks, allowing authenticated users with permission to invite non-guest users to a team to add guest users to that team via the API. This enables them to add a single user to a team. Recommendations: For versions 10.6.x through 10.6.1, update to a version later than 10.6.1 to resolve the issue. For versions 10.5.x through 10.5.2, update to a version later than 10.5.2 to resolve the issue. For versions 10.4.x through 10.4.4, update to a version later than 10.4.4 to resolve the issue. For versions 9.11.x through 9.11.11, update to a version later than 9.11.11 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.11.x through 9.11.9 Mattermost versions 10.5.x through 10.5.1 **Description** The issue arises from the failure to enforce MFA checks in the PUT /api/v4/users/user-id/mfa endpoint when the requesting user differs from the target user ID. This allows users with the `edit other users` permission to activate or deactivate MFA for other users, even if those users have not set up MFA. **Recommendations** For versions 9.11.x through 9.11.9, update to a version that enforces MFA checks for the PUT /api/v4/users/user-id/mfa endpoint. For versions 10.5.x through 10.5.1, update to a version that enforces MFA checks for the PUT /api/v4/users/user-id/mfa endpoint. As a temporary workaround, consider restricting the `edit other users` permission to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.11.x through 9.11.8 Mattermost versions 10.3.x through 10.3.3 Mattermost versions 10.4.x through 10.4.2 Mattermost versions 10.5.x through 10.5.0 **Description** The issue is related to the failure of Mattermost to enforce Multi-Factor Authentication (MFA) on plugin endpoints. This allows authenticated attackers to bypass MFA protections by sending API requests to plugin-specific routes. **Recommendations** For versions 9.11.x through 9.11.8, update to a version that enforces MFA on plugin endpoints. For versions 10.3.x through 10.3.3, update to a version that enforces MFA on plugin endpoints. For versions 10.4.x through 10.4.2, update to a version that enforces MFA on plugin endpoints. For versions 10.5.x through 10.5.0, update to a version that enforces MFA on plugin endpoints.