CVE-2024-39839

MEDIUM

Mattermost 9.5.0-9.5.6, 9.7.0-9.7.5, 9.8.0-9.8.1, 9.9.0 - Improper Access Control in Shared Channels

Title source: llm

Description

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.

References (1)

Core 1

Core References

Vendor Advisory

https://mattermost.com/security-updates

Scores

CVSS v3 4.3

EPSS 0.0022

EPSS Percentile 44.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (3)

mattermost/mattermost 9.5.0 - 9.5.7Go

mattermost/mattermost_server 9.9.0

mattermost/mattermost_server 9.5.0 - 9.5.7

Published Aug 01, 2024

Tracked Since Feb 18, 2026