CVE-2024-39839

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.5.x through 9.5.6 Mattermost versions 9.7.x through 9.7.5 Mattermost versions 9.8.x through 9.8.1 Mattermost versions 9.9.x through 9.9.0

Description The issue allows a user on a remote server to set their remote username property to an arbitrary string when shared channels are enabled. This arbitrary string would then be synced to the local server if the user hadn't been synced before.

Recommendations For Mattermost versions 9.5.x through 9.5.6, update to a version that disallows users from setting their own remote username. For Mattermost versions 9.7.x through 9.7.5, update to a version that disallows users from setting their own remote username. For Mattermost versions 9.8.x through 9.8.1, update to a version that disallows users from setting their own remote username. For Mattermost versions 9.9.x through 9.9.0, update to a version that disallows users from setting their own remote username. As a temporary workaround, consider restricting the ability of users to set their remote username property until a patch is available.