CVE-2024-24776

Improper Access Control in go/github.com/mattermost/mattermost/server/v8

Identifiers

GHSA-r833-w756-h5p2, CVE-2024-24776

Package Slug

go/github.com/mattermost/mattermost/server/v8

Vulnerability

Improper Access Control

Description

Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts being leaked to a user without permissions.

Affected Versions

All versions before 8.1.8, all versions starting from 9.0.0 before 9.3.0

Solution

Upgrade to versions 8.1.8, 9.3.0 or above.

Last Modified

2024-02-20

source