CVE-2024-2447

Summary

Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.5.0 <= 9.5.1affected
MattermostMattermost9.4.0 <= 9.4.3affected
MattermostMattermost9.3.0 <= 9.3.2affected
MattermostMattermost8.1.0 <= 8.1.10affected
MattermostMattermost9.6.0unaffected
MattermostMattermost9.5.2unaffected
MattermostMattermost9.4.4unaffected
MattermostMattermost9.3.3unaffected
MattermostMattermost8.1.11unaffected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References