CVE-2024-47003

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.x through 9.11.0 Mattermost versions 9.5.x through 9.5.8

Description The issue arises from the failure to validate that the message of a permalink post is a string, allowing an attacker to send a non-string value as the message and crash the frontend. Additionally, Mattermost does not strip embeds from metadata when broadcasting posted events, which can be exploited to include arbitrary embeds in posts or trigger a client-side Denial of Service (DoS) by sending a permalink with a non-string message.

Recommendations For Mattermost versions 9.11.x through 9.11.0, update to a version that includes the fix for this issue. For Mattermost versions 9.5.x through 9.5.8, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the broadcasting of posted events or restricting the use of permalink posts until a patch is available. Restrict access to the metadata and embeds components to minimize the risk of exploitation.