CVE-2023-49874Improper Access Control in Mattermost

CWE-284Improper Access Control3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 70.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MattermostMattermost Server
Timeline
PublishedDec 12

Description

Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5mattermost/mattermost8.1.5+4
NVDmattermost/mattermost_server8.0.08.1.5+4

🔴Vulnerability Details

2
CVEList
IDOR when updating the tasks of a private playbook run2023-12-12
GHSA
GHSA-5gq6-83ww-xr95: Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a privat2023-12-12
CVE-2023-49874 — Improper Access Control in Mattermost | cvebase