First published: Fri Apr 26 2024(Updated: )
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/mattermost/mattermost-server | >=8.1.0<=8.1.11 | 8.1.12 |
go/github.com/mattermost/mattermost-server | >=9.5.0<=9.5.2 | 9.5.3 |
Update Mattermost Server to versions 9.7.0, 9.6.1, 9.5.3, 8.1.12 or higher.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.