CVE-2023-49874

Summary

Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 8.1.5affected
MattermostMattermost0 <= 9.0.3affected
MattermostMattermost0 <= 9.1.2affected
MattermostMattermost0 <= 9.2.1affected
MattermostMattermost0 <= 7.8.14affected
MattermostMattermost9.2.2unaffected
MattermostMattermost8.1.6unaffected
MattermostMattermost9.0.4unaffected
MattermostMattermost9.1.3unaffected
MattermostMattermost7.8.15unaffected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CVE Program Container

Additional References

References