CVE-2024-39777

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.9.x through 9.9.0 Mattermost versions 9.5.x through 9.5.6 Mattermost versions 9.7.x through 9.7.5 Mattermost versions 9.8.x through 9.8.1

Description The issue allows malicious remote users to send unsolicited invites, exposing access to local channels when shared channels are enabled. This can lead to a local channel becoming shared without the consent of the local admin, by sending an invite with the ID of an existing local channel.

Recommendations For Mattermost versions 9.9.x through 9.9.0, update to a version that includes the fix for this issue. For Mattermost versions 9.5.x through 9.5.6, update to a version that includes the fix for this issue. For Mattermost versions 9.7.x through 9.7.5, update to a version that includes the fix for this issue. For Mattermost versions 9.8.x through 9.8.1, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling shared channels until a patch is available.