CVE-2024-50052 — Missing Authorization in Mattermost Mattermost Server V8

CWE-862 — Missing Authorization5 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 51.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost Server V8 Mattermost Server Mattermost

Timeline

PublishedOct 29

Latest updateNov 4

Description

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDmattermost/mattermost_server9.5.0 — 9.5.10+2

▶Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20240926115259-20ed58906adc

▶CVEListV5mattermost/mattermost9.10.0 — 9.10.2+2

🔴Vulnerability Details

OSV

Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server↗2024-11-04

▶

GHSA

Mattermost server allows authenticated user to delete arbitrary post↗2024-10-29

▶

CVEList

Arbitrary post deletion via Playbooks /ignore-thread endpoint↗2024-10-29

▶

OSV

Mattermost server allows authenticated user to delete arbitrary post↗2024-10-29

▶