CVE-2024-32939

MEDIUM

Mattermost < 9.5.8 - Improper Access Control

Title source: rule

Description

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server."

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 4.3

EPSS 0.0028

EPSS Percentile 51.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284 CWE-312

Status published

Products (2)

mattermost/mattermost 9.5.0 - 9.5.8

mattermost/mattermost 9.9.0 - 9.9.2Go

Published Aug 22, 2024

Tracked Since Feb 18, 2026