Bob10X1

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.7.x through 10.7.0 Mattermost versions 10.5.x through 10.5.3 Mattermost versions 9.11.x through 9.11.12 **Description** The issue is related to the failure of Mattermost to properly enforce access controls for guest users accessing channel member information. This allows authenticated guest users to view metadata about members of public channels via the "channel members API endpoint". **Recommendations** For versions 10.7.x through 10.7.0, consider restricting access to the channel members API endpoint to prevent guest users from viewing metadata about members of public channels. For versions 10.5.x through 10.5.3, restrict access to the channel members API endpoint to minimize the risk of exploitation. For versions 9.11.x through 9.11.12, limit the access of guest users to the channel members API endpoint until a fix is available.

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.5.x through 10.5.1 Mattermost versions 10.4.x through 10.4.3 Mattermost versions 9.11.x through 9.11.9 Description: The issue arises from the failure to restrict certain operations on system admins to only other system admins. This allows delegated granular administration users with the `Edit Other Users` permission to perform unauthorized modifications to system administrators via improper permission validation. Recommendations: For Mattermost versions 10.5.x through 10.5.1, update to a version that properly restricts operations on system admins. For Mattermost versions 10.4.x through 10.4.3, update to a version that properly restricts operations on system admins. For Mattermost versions 9.11.x through 9.11.9, update to a version that properly restricts operations on system admins. As a temporary workaround, consider restricting the `Edit Other Users` permission to prevent unauthorized modifications to system administrators.