CVE-2024-4195: Mattermost allows team admins to promote guests to team admins
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.
References
- github.com/advisories/GHSA-5fh7-7mw7-mmx5
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost/commit/1e3497e0595bb4f9908c94dd9d4685d48556b7e8
- github.com/mattermost/mattermost/commit/f0872dd4e4ba34f061aa6982a71c7c29532aac2e
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2024-4195
Code Behaviors & Features
Detect and mitigate CVE-2024-4195 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →