3 matches found
CVE-2024-36257 Lack of permission check when updating the profile picture of a remote user (shared channels enabled)
Mattermost versions 9.5.x = 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious...
CVE-2024-36257 Lack of permission check when updating the profile picture of a remote user (shared channels enabled)
Mattermost versions 9.5.x = 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious...
CVE-2024-36257
Mattermost CVE-2024-36257 involves an improper access control vulnerability in shared channels with multiple remote servers. The root cause is a missing verification that the remote server requesting a profile-picture update for a user is the server that locally hosts that user. This allows a mal...