Mattermost Server Improper Access Control
Moderate severity
GitHub Reviewed
Published
Apr 5, 2024
to the GitHub Advisory Database
•
Updated Dec 13, 2024
Package
Affected versions
>= 8.1.0, < 8.1.11
>= 9.5.0, < 9.5.2
>= 9.4.0, < 9.4.4
>= 9.3.0, < 9.3.3
Patched versions
8.1.11
9.5.2
9.4.4
9.3.3
Description
Published by the National Vulnerability Database
Apr 5, 2024
Published to the GitHub Advisory Database
Apr 5, 2024
Reviewed
Apr 5, 2024
Last updated
Dec 13, 2024
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the
/api/v4/users/me/teams
endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.References