CVE-2024-1952

Name of the Vulnerable Software and Affected Versions Mattermost versions 8.1.x through 8.1.8

Description The issue allows an authenticated attacker who can control the update of an ephemeral post to access individual posts' contents in channels they are not a member of. This is due to a failure to sanitize data associated with permalinks when a plugin updates an ephemeral post.

Recommendations For Mattermost versions 8.1.x through 8.1.8, update to version 8.1.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of plugins that update ephemeral posts until a patch is available. Additionally, restrict access to sensitive channels to minimize the risk of exploitation.