CVE-2024-36257

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.5.x through 9.5.5 Mattermost version 9.8.0

Description The issue arises when Mattermost is used with shared channels and multiple remote servers are connected. In such cases, the system fails to verify that the remote server requesting a profile picture update for a user is the same server where the user is locally hosted. This oversight allows a malicious remote server to alter the profile images of users belonging to another remote server that is connected to it.

Recommendations For Mattermost versions 9.5.x through 9.5.5, update to a version later than 9.5.5 to resolve the issue. For Mattermost version 9.8.0, update to a version later than 9.8.0 to resolve the issue. As a temporary workaround, consider restricting access to profile picture updates for users from remote servers until a patch is available.