Juho Nurminen

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.5.x through 9.5.9 **Description** The issue arises when ElasticSearch is enabled, and Mattermost fails to properly filter channel data. This allows a user to obtain private channel names by using the cmd+K/ctrl+K shortcut. **Recommendations** For Mattermost versions 9.5.x through 9.5.9, update to the latest version to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to ElasticSearch or disabling the feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mattermost Mobile Apps versions <=2.16.0 **Description** The issue arises from the failure to protect against abuse of a globally shared MathJax state, allowing an attacker to alter the contents of a LaTeX post. This can be achieved by creating another post with specific macro definitions. **Recommendations** For Mattermost Mobile Apps versions <=2.16.0, update to a version greater than 2.16.0 to resolve the issue. As a temporary workaround, consider restricting the use of LaTeX posts until a patch is available.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue arises from the use of `path.Base` to extract the expected HTTP-01 token value, which behaves differently on Windows due to the distinct path separator (`` vs `/`). This allows a user to provide a relative path, potentially leading to the extraction of an unintended path. The extracted path is then suffixed with `+http-01` and opened. The impact is limited, as it only allows reading arbitrary files on the system if they have the `+http-01` suffix. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 8.1.x through 8.1.12 Mattermost versions 9.5.x through 9.5.3 Mattermost versions 9.6.x through 9.6.1 **Description** The issue arises from inadequate input validation on post actions, allowing an attacker to execute a playbook checklist task command as another user. This can be achieved by creating and sharing a deceptive post action that unexpectedly runs a slash command in an arbitrary channel. **Recommendations** For Mattermost versions 8.1.x through 8.1.12, update to a version later than 8.1.12 to resolve the issue. For Mattermost versions 9.5.x through 9.5.3, update to a version later than 9.5.3 to resolve the issue. For Mattermost versions 9.6.x through 9.6.1, update to a version later than 9.6.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 8.1.x through 8.1.12 Mattermost versions 9.5.x through 9.5.3 Mattermost versions 9.6.x through 9.6.1 **Description** The issue is related to a failure in enforcing proper access controls, allowing users to view arbitrary post contents. This can be achieved via the `/playbook` add slash command. **Recommendations** For Mattermost versions 8.1.x through 8.1.12, update to a version later than 8.1.12 to resolve the issue. For Mattermost versions 9.5.x through 9.5.3, update to a version later than 9.5.3 to resolve the issue. For Mattermost versions 9.6.x through 9.6.1, update to a version later than 9.6.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 8.1.x through 8.1.12 Mattermost versions 9.5.x through 9.5.3 Mattermost versions 9.6.x through 9.6.1 Mattermost versions 9.7.x through 9.7.1 **Description** The issue is related to a failure in enforcing proper access control, allowing a user to run a slash command in a channel they are not a member of. This can be achieved by linking a playbook run to that channel and running a slash command as a playbook task command. **Recommendations** For versions 8.1.x through 8.1.12, consider restricting access to the playbook run feature to prevent exploitation. For versions 9.5.x through 9.5.3, restrict access to the slash command feature in channels where the user is not a member. For versions 9.6.x through 9.6.1, avoid using the playbook task command to run slash commands in channels where the user is not a member. For versions 9.7.x through 9.7.1, consider disabling the linking of playbook runs to channels where the user is not a member as a temporary workaround.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 8.1.x through 8.1.11 Mattermost versions 9.4.x through 9.4.4 Mattermost versions 9.5.x through 9.5.2 Mattermost version 9.6.0 **Description** The issue arises from the failure to handle JSON parsing errors in custom status values, allowing an authenticated attacker to crash other users' web clients via a malformed custom status. **Recommendations** For Mattermost versions 8.1.x through 8.1.11, update to version 8.1.12 or later. For Mattermost versions 9.4.x through 9.4.4, update to version 9.4.5 or later. For Mattermost versions 9.5.x through 9.5.2, update to version 9.5.3 or later. For Mattermost version 9.6.0, update to a version that includes the fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 8.1.x through 8.1.11 Mattermost versions 9.5.x through 9.5.2 Mattermost version 9.6.0 **Description** The issue arises from the failure to fully validate role changes, allowing an attacker authenticated as a team admin to demote users to guest via crafted HTTP requests. **Recommendations** For Mattermost versions 8.1.x through 8.1.11, update to version 8.1.12 or later. For Mattermost versions 9.5.x through 9.5.2, update to version 9.5.3 or later. For Mattermost version 9.6.0, consider disabling role change functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mattermost Mobile app versions 2.13.0 and earlier **Description** The issue allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link, due to the use of a regular expression with polynomial complexity to parse certain deeplinks. **Recommendations** For Mattermost Mobile app versions 2.13.0 and earlier, update to a version later than 2.13.0 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 8.1.x through 8.1.10 Mattermost versions 9.3.x through 9.3.2 Mattermost versions 9.4.x through 9.4.3 Mattermost versions 9.5.x through 9.5.1 **Description** The issue is related to the failure of Mattermost to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action. **Recommendations** For versions 8.1.x through 8.1.10, update to version 8.1.11 or later. For versions 9.3.x through 9.3.2, update to version 9.3.3 or later. For versions 9.4.x through 9.4.3, update to version 9.4.4 or later. For versions 9.5.x through 9.5.1, update to version 9.5.2 or later.

**Name of the Vulnerable Software and Affected Versions** Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10 Mattermost Jira plugin versions shipped with Mattermost versions 9.2.x before 9.2.6 Mattermost Jira plugin versions shipped with Mattermost versions 9.3.x before 9.3.2 Mattermost Jira plugin versions shipped with Mattermost versions 9.4.x before 9.4.3 **Description** The Mattermost Jira plugin fails to escape user-controlled outputs when generating HTML pages, allowing an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server. **Recommendations** For Mattermost versions 8.1.x before 8.1.10, update to version 8.1.10 or later. For Mattermost versions 9.2.x before 9.2.6, update to version 9.2.6 or later. For Mattermost versions 9.3.x before 9.3.2, update to version 9.3.2 or later. For Mattermost versions 9.4.x before 9.4.3, update to version 9.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 8.1.x through 8.1.9 Mattermost versions 9.2.x through 9.2.5 Mattermost versions 9.3.x through 9.3.1 Mattermost versions 9.4.x through 9.4.2 **Description** The issue arises from the failure to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions. **Recommendations** For Mattermost versions 8.1.x through 8.1.9, update to version 8.1.10 or later. For Mattermost versions 9.2.x through 9.2.5, update to version 9.2.6 or later. For Mattermost versions 9.3.x through 9.3.1, update to version 9.3.2 or later. For Mattermost versions 9.4.x through 9.4.2, update to version 9.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** golang versions (affected versions not specified) http.Client (affected versions not specified) **Description** The issue is related to how an http.Client handles HTTP redirects. When an HTTP redirect is made to a domain that is not a subdomain match or exact match of the initial domain, sensitive headers such as `Authorization` or `Cookie` are not forwarded. However, a maliciously crafted HTTP redirect could cause these sensitive headers to be unexpectedly forwarded. For example, a redirect from foo.com to www.foo.com will forward the `Authorization` header, but a redirect to bar.com will not. **Recommendations** For golang, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For http.Client, consider restricting the forwarding of sensitive headers to only trusted domains to minimize the risk of exploitation. As a temporary workaround, consider disabling the automatic forwarding of sensitive headers until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 8.1.x through 8.1.8 **Description** The issue allows an authenticated attacker who can control the update of an ephemeral post to access individual posts' contents in channels they are not a member of. This is due to a failure to sanitize data associated with permalinks when a plugin updates an ephemeral post. **Recommendations** For Mattermost versions 8.1.x through 8.1.8, update to version 8.1.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of plugins that update ephemeral posts until a patch is available. Additionally, restrict access to sensitive channels to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 8.1.x through 8.1.8 Mattermost versions 9.2.x through 9.2.4 Mattermost version 9.3.0 **Description** The issue arises from the failure to sanitize metadata on posts containing permalinks under specific conditions. This allows an authenticated attacker to access the contents of individual posts in channels they are not a member of. **Recommendations** For Mattermost versions 8.1.x through 8.1.8, update to version 8.1.9 or later. For Mattermost versions 9.2.x through 9.2.4, update to version 9.2.5 or later. For Mattermost version 9.3.0, update to a version later than 9.3.0. As a temporary workaround, consider restricting access to posts containing permalinks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** net/mail package in Go (affected versions not specified) **Description** The issue is related to the ParseAddressList function, which incorrectly handles comments within display names. This can lead to different trust decisions being made by programs using different parsers, potentially allowing a remote attacker to perform spoofing attacks by providing specially crafted input data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions prior to 8.1.7 **Description** The issue is related to the failure to sanitize channel mention data in posts, allowing an attacker to inject markup in the web client. This can lead to a Cross-site Scripting vulnerability. **Recommendations** For versions prior to 8.1.7, update to version 8.1.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of channel mentions in posts until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mattermost (affected versions not specified) **Description** The issue arises from Mattermost's failure to properly sanitize the user object when updating the username. This results in the password hash being included in the response body. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Go versions 1.21 and later **Description** The go.mod toolchain directive can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software. The issue is related to incorrect code generation management when loading the Go Toolchain. Exploitation of the issue may allow a remote attacker to elevate privileges and execute arbitrary code. **Recommendations** For Go version 1.21 and later, consider disabling the toolchain directive in the go.mod file as a temporary workaround until a patch is available. Restrict access to the go.mod file to minimize the risk of exploitation. Avoid using the go.mod toolchain directive in the "go" command until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mattermost (affected versions not specified) **Description** The issue is related to Mattermost failing to properly validate the origin of a websocket connection. This allows a Man-In-The-Middle (MITM) attacker on Mattermost to access the websocket APIs. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.