CVE-2024-1888

Summary

Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 9.4.1affected
MattermostMattermost0 <= 9.3.0affected
MattermostMattermost0 <= 9.2.4affected
MattermostMattermost0 <= 8.1.8affected
MattermostMattermost9.5.0unaffected
MattermostMattermost9.4.2unaffected
MattermostMattermost9.3.1unaffected
MattermostMattermost9.2.5unaffected
MattermostMattermost8.1.9unaffected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References