Name of the Vulnerable Software and Affected Versions:

Mattermost versions 9.11.x through 9.11.7

Mattermost versions 10.2.x through 10.2.2

Mattermost versions 10.3.x through 10.3.2

Mattermost versions 10.4.x through 10.4.1

Description:

The issue allows an attacker to retrieve data from the database via a SQL injection when reordering specially crafted boards categories, due to the failure to use prepared statements in the SQL query of boards reordering.

Recommendations:

For versions 9.11.x through 9.11.7, update to a version that includes the fix for this issue.

For versions 10.2.x through 10.2.2, update to a version that includes the fix for this issue.

For versions 10.3.x through 10.3.2, update to a version that includes the fix for this issue.

For versions 10.4.x through 10.4.1, update to a version that includes the fix for this issue.