CVE-2024-4198: Mattermost fails to fully validate role changes
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.
References
- github.com/advisories/GHSA-5qx9-9ffj-5r8f
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost/commit/3d6d8a7c1f7105558fe266a1b379859a4dba4e9b
- github.com/mattermost/mattermost/commit/408ce4a82bb55ce27801f7044d9b3b49e82c47ed
- github.com/mattermost/mattermost/commit/fba5b8e348feada9b21290369c3598ccd5c04424
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2024-4198
Detect and mitigate CVE-2024-4198 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →