PT-2024-29657 · Mattermost · Mattermost

Bharat

Published

2024-04-26

Updated

2024-06-05

CVE-2024-4195

CVSS v3.1

2.7

Low

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 8.1.x through 8.1.11 Mattermost versions 9.5.x through 9.5.2 Mattermost version 9.6.0

Description The issue allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests due to a failure to fully validate role changes.

Recommendations For Mattermost versions 8.1.x through 8.1.11, update to version 8.1.12 or later. For Mattermost versions 9.5.x through 9.5.2, update to version 9.5.3 or later. For Mattermost version 9.6.0, consider restricting the role change functionality until a patch is available.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2024-4195

GHSA-5FH7-7MW7-MMX5

GO-2024-2793

Affected Products

Mattermost

PT-2024-29657 · Mattermost · Mattermost

CVE-2024-4195

Weakness Enumeration

Related Identifiers

Affected Products

References · 11