PT-2024-20554 · Mattermost · Mattermost

Vultza

Published

2024-02-09

Updated

2024-06-05

CVE-2024-24776

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions prior to v8.1.8

Description Mattermost fails to check the required permissions in the "POST /api/v4/channels/stats/member count" API endpoint, resulting in channel member counts being leaked to a user without permissions.

Recommendations For versions prior to v8.1.8, update to version v8.1.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the "POST /api/v4/channels/stats/member count" API endpoint until a patch is available.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

BIT-MATTERMOST-2024-24776

CVE-2024-24776

GHSA-R833-W756-H5P2

GO-2024-2566

Affected Products

Mattermost

PT-2024-20554 · Mattermost · Mattermost

CVE-2024-24776

Weakness Enumeration

Related Identifiers

Affected Products

References · 13