Lordwillmore

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.5.x through 10.5.10 Mattermost versions 10.11.x through 10.11.2 **Description** The software does not properly validate guest user permissions when accessing channel information. This allows guest users to discover active public channels and their metadata. The affected API endpoint is `/api/v4/teams/{team id}/channels/ids`. The `team id` is a vulnerable parameter. **Recommendations** Update Mattermost to a version later than 10.5.10. Update Mattermost to a version later than 10.11.2.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.5.x through 10.5.10 Mattermost versions 10.11.x through 10.11.2 **Description** The software does not correctly check permissions for guest users when adding members to channels. This allows guest users to add any team member to their private channels. The issue occurs through the `/api/v4/channels/{channel id}/members` API endpoint. The vulnerable parameter is `channel id`. **Recommendations** Update Mattermost to a version later than 10.5.10. Update Mattermost to a version later than 10.11.2.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions prior to 11 **Description** The software does not properly restrict access to the archived channel search API. This allows guest users to discover archived public channels using the `/api/v4/teams/{team id}/channels/search archived` API endpoint. The vulnerable parameter is `team id`. **Recommendations** Update to version 11 or later.