CVE-2024-24776Improper Access Control in Mattermost Mattermost-server

CWE-284Improper Access Control5 documents4 sources
Severity
4.3MEDIUMNVD
CNA3.1
EPSS
0.2%
top 62.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost+1 more
Timeline
PublishedFeb 9
Latest updateJun 5

Description

Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts being leaked to a user without permissions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

Gogithub.com/mattermost_mattermost-server9.0.0+incompatible9.3.0+incompatible
CVEListV5mattermost/mattermost8.1.7+1

🔴Vulnerability Details

4
OSV
Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server2024-06-05
GHSA
Mattermost fails to check the required permissions2024-02-09
CVEList
Incorrect Authorization leads to Channel Member Count Leak2024-02-09
OSV
Mattermost fails to check the required permissions2024-02-09
CVE-2024-24776 — Improper Access Control | cvebase