Lucene search

MattermostCVELIST:CVE-2024-43813

HistoryAug 22, 2024 - 6:30 a.m.

CVE-2024-43813 IDOR when marking read a user's channel

2024-08-2206:30:58

CWE-284

Mattermost

www.cve.org

cve-2024-43813

idor

marking read

user's channel

mattermost

versions

9.5.x

9.5.7

9.10.x

9.10.0

access controls

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

Percentile

14.7%

JSON

Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "9.5.7",
        "status": "affected",
        "version": "9.5.0",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "9.10.0"
      },
      {
        "status": "unaffected",
        "version": "9.11.0"
      },
      {
        "status": "unaffected",
        "version": "9.5.8"
      },
      {
        "status": "unaffected",
        "version": "9.10.1"
      }
    ]
  }
]

References

mattermost.com/security-updates

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

Percentile

14.7%

JSON

Related for CVELIST:CVE-2024-43813