Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.
References
Link | Resource |
---|---|
https://mattermost.com/security-updates | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
04 Sep 2024, 17:34
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
References | () https://mattermost.com/security-updates - Vendor Advisory | |
CPE | cpe:2.3:a:mattermost:mattermost_server:9.9.0:*:*:*:*:*:*:* cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* |
|
CWE | NVD-CWE-noinfo | |
First Time |
Mattermost
Mattermost mattermost Server |
01 Aug 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-01 15:15
Updated : 2024-09-04 17:34
NVD link : CVE-2024-39839
Mitre link : CVE-2024-39839
CVE.ORG link : CVE-2024-39839
JSON object : View
Products Affected
mattermost
- mattermost_server
CWE