**Name of the Vulnerable Software and Affected Versions**

Mattermost versions 10.8.x through 10.8.3

Mattermost versions 10.5.x through 10.5.8

Mattermost versions 9.11.x through 9.11.17

Mattermost versions 10.10.x through 10.10.1

Mattermost versions 10.9.x through 10.9.3

Mattermost versions prior to 10.10.2

**Description**

The Mattermost server fails to properly validate the import directory path configuration. This allows administrator users to potentially execute arbitrary code by uploading a malicious plugin to the prepackaged plugins directory. The issue is a path traversal, enabling unauthorized access and code execution.

**Recommendations**

Mattermost versions 10.8.x through 10.8.3 should be updated to a version later than 10.8.3.

Mattermost versions 10.5.x through 10.5.8 should be updated to a version later than 10.5.8.

Mattermost versions 9.11.x through 9.11.17 should be updated to a version later than 9.11.17.

Mattermost versions 10.10.x through 10.10.1 should be updated to a version later than 10.10.1.

Mattermost versions 10.9.x through 10.9.3 should be updated to a version later than 10.9.3.

Mattermost versions prior to 10.10.2 should be updated to version 10.10.2 or later.