Omar Ahmed

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.11.0 through 9.11.5 **Description** The issue is related to the failure of Mattermost to enforce invite permissions. This allows team admins, who do not have permission to invite users to their team, to invite users by making their team public and updating the `allow open invite` field. **Recommendations** For Mattermost versions 9.11.0 through 9.11.5, update to version 9.11.6 or later to resolve the issue. As a temporary workaround, consider restricting the ability of team admins to make their teams public until a patch is available. Restrict access to the `allow open invite` field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.5.x through 9.5.7 Mattermost versions 9.10.x through 9.10.0 **Description** The issue is related to improper permission enforcement, allowing a team admin user without the "Add Team Members" permission to disable the invite URL. This affects team admin users who should not have the capability to modify invite URLs due to missing permissions. **Recommendations** For Mattermost versions 9.5.x through 9.5.7, update to a version later than 9.5.7 to resolve the issue. For Mattermost versions 9.10.x through 9.10.0, update to a version later than 9.10.0 to resolve the issue. As a temporary workaround, consider restricting team admin users' access to settings related to invite URLs until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mattermost Server versions 8.1.x through 8.1.10 Mattermost Server versions 9.3.x through 9.3.2 Mattermost Server versions 9.4.x through 9.4.3 Mattermost Server versions 9.5.x through 9.5.1 **Description** The issue is related to improper access control in the Mattermost Server, specifically in the "/api/v4/users/me/teams" endpoint, allowing a team admin to get the invite ID of their team and invite users even if the "Add Members" permission was explicitly removed from team admins. **Recommendations** For Mattermost Server versions 8.1.x through 8.1.10, update to version 8.1.11 or later. For Mattermost Server versions 9.3.x through 9.3.2, update to version 9.3.3 or later. For Mattermost Server versions 9.4.x through 9.4.3, update to version 9.4.4 or later. For Mattermost Server versions 9.5.x through 9.5.1, update to version 9.5.2 or later.