CVE-2024-40884

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.5.x through 9.5.7 Mattermost versions 9.10.x through 9.10.0

Description The issue is related to improper permission enforcement, allowing a team admin user without the "Add Team Members" permission to disable the invite URL. This affects team admin users who should not have the capability to modify invite URLs due to missing permissions.

Recommendations For Mattermost versions 9.5.x through 9.5.7, update to a version later than 9.5.7 to resolve the issue. For Mattermost versions 9.10.x through 9.10.0, update to a version later than 9.10.0 to resolve the issue. As a temporary workaround, consider restricting team admin users' access to settings related to invite URLs until a patch is available.