PT-2024-23173 · Mattermost · Mattermost

Juho Forsén

Published

2024-08-01

Updated

2024-08-23

CVE-2024-29977

CVSS v4.0

5.1

Medium

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.9.x through 9.9.0 Mattermost versions 9.5.x through 9.5.6

Description The issue arises from the improper validation of synced reactions when shared channels are enabled. This allows a malicious remote user to create arbitrary reactions on arbitrary posts. The problem is related to the Mattermost server, specifically in the code found at github.com/mattermost/mattermost-server.

Recommendations For Mattermost versions 9.9.x through 9.9.0, update to a version that properly validates synced reactions. For Mattermost versions 9.5.x through 9.5.6, update to a version that properly validates synced reactions. As a temporary workaround, consider disabling shared channels to minimize the risk of exploitation.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2024-29977

GHSA-JQ3G-XQPX-37X3

GO-2024-3030

Affected Products

Mattermost

PT-2024-23173 · Mattermost · Mattermost

CVE-2024-29977

Weakness Enumeration

Related Identifiers

Affected Products

References · 10