2 matches found
CVE-2024-5272
The CVE-2024-5272 issue is an Improper Access Control in Mattermost where the audience of the custom_playbooks_playbook_run_updated webhook is not restricted. A guest in a channel with a linked playbook run can view all details of the playbook run once it is marked as finished. Affected versions ...
CVE-2024-5272 Run Details leak to guest via webhook event "custom_playbooks_playbook_run_updated"
Mattermost versions 9.5.x = 9.5.3, 9.6.x = 9.6.1, 8.1.x = 8.1.12 fail to restrict the audience of the "customplaybooksplaybookrunupdated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished...