cbcvebase.
CVE-2024-29977
published 2024-08-01

CVE-2024-29977: Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious…

PriorityP425medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.28%
19.4th percentile
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts

Affected

7 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 9.5.0+incompatible < 9.5.7+incompatible9.5.7+incompatible
github.commattermost_mattermost-server>= 9.9.0+incompatible < 9.9.1+incompatible9.9.1+incompatible
github.commattermost_mattermost_server_v8>= 9.5.0 < 9.5.79.5.7
github.commattermost_mattermost_server_v8>= 9.9.0 < 9.9.19.9.1
mattermostmattermost
mattermostmattermost>= 9.5.0 < 9.5.79.5.7
mattermostmattermost9.5.0 – 9.5.6
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.