Omarahmed1

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.0 through 10.11.9 **Description** Mattermost versions 10.11.x up to and including 10.11.9 do not properly enforce invite permissions when team settings are updated. This allows team administrators lacking the necessary permissions to circumvent restrictions and add users to their team using API requests. The issue involves bypassing intended limitations through the ''/api/teams/{team id}'' endpoint when updating team settings, specifically related to the `allow open invite` field. **Recommendations** Update Mattermost to a version later than 10.11.9.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.0 through 10.11.10 Mattermost versions 11.2.0 through 11.2.2 Mattermost versions 11.3.0 **Description** Mattermost does not properly filter invite IDs based on user permissions. This allows regular users to bypass access control restrictions and register unauthorized accounts using leaked invite IDs during team creation. **Recommendations** Update Mattermost to a version later than 10.11.10. Update Mattermost to a version later than 11.2.2. Update Mattermost to a version later than 11.3.0.

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.5.x through 10.5.8 Mattermost versions 9.11.x through 9.11.17 Mattermost versions 10.8.x through 10.8.3 Mattermost versions 10.9.x through 10.9.2 Description: The Mattermost application fails to sanitize the team invite ID in the `POST /api/v4/teams/:teamId/restore` API endpoint. This allows a team administrator lacking member invite privileges to obtain the team’s invite ID. Recommendations: Update Mattermost to a version later than 10.5.8. Update Mattermost to a version later than 9.11.17. Update Mattermost to a version later than 10.8.3. Update Mattermost to a version later than 10.9.2.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.11.x through 9.11.12 Mattermost versions 10.5.x through 10.5.3 Mattermost versions 10.6.x through 10.6.2 Mattermost versions 10.7.x through 10.7.0 **Description** The issue is related to the improper validation of permissions when changing team privacy settings. This allows team administrators without the 'invite user' permission to access and modify team invite IDs via the "/api/v4/teams/:teamId/privacy" endpoint. **Recommendations** For versions 9.11.x through 9.11.12, update to a version that properly validates permissions for team administrators. For versions 10.5.x through 10.5.3, update to a version that properly validates permissions for team administrators. For versions 10.6.x through 10.6.2, update to a version that properly validates permissions for team administrators. For versions 10.7.x through 10.7.0, update to a version that properly validates permissions for team administrators. As a temporary workaround, consider restricting access to the "/api/v4/teams/:teamId/privacy" endpoint until a patch is available.