Ben Cooke

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.5.x through 10.5.2 Mattermost versions 9.11.x through 9.11.11 Description: The issue is related to improper verification of a user's permissions when accessing groups. This allows an attacker to view group information via an API request. Recommendations: For Mattermost versions 10.5.x through 10.5.2, update to a version later than 10.5.2 to resolve the issue. For Mattermost versions 9.11.x through 9.11.11, update to a version later than 9.11.11 to resolve the issue. As a temporary workaround, consider restricting access to group information via API requests until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.5.x through 9.5.9 Mattermost versions 9.11.X through 9.11.1 **Description** The issue arises when using desktop SSO, where Mattermost incorrectly issues two sessions - one in the browser and one in the desktop application, both with incorrect settings. **Recommendations** For versions 9.5.x through 9.5.9, update to the latest release to mitigate the risk. For versions 9.11.X through 9.11.1, update to the latest release to mitigate the risk. As a temporary workaround, consider restricting the use of desktop SSO until a patch is available.