CVE-2024-4198

Summary

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.6.0affected
MattermostMattermost9.5.0 <= 9.5.2affected
MattermostMattermost8.1.0 <= 8.1.11affected
MattermostMattermost9.7.0unaffected
MattermostMattermost9.6.1unaffected
MattermostMattermost9.5.3unaffected
MattermostMattermost8.1.12unaffected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References