CVE-2024-4198 — Improper Access Control in Mattermost Mattermost-server
Severity
2.7LOWNVD
EPSS
0.1%
top 66.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 26
Latest updateJun 5
Description
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4
Affected Packages3 packages
🔴Vulnerability Details
4📋Vendor Advisories
1Red Hat▶
mattermost: fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest↗2024-04-26