Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.
2024-08-01T15:15:12.993
2024-09-04T17:34:06.817
Analyzed
CVSSv3.1: 4.3 (MEDIUM)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | mattermost | mattermost_server | < 9.5.7 | Yes |
| Application | mattermost | mattermost_server | < 9.7.6 | Yes |
| Application | mattermost | mattermost_server | < 9.8.2 | Yes |
| Application | mattermost | mattermost_server | 9.9.0 | Yes |