BIT-MATTERMOST-2024-41926

Mattermost versions 9.9.x = 9.9.0 and 9.5.x = 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote...

Nextcloud: Federated editing allows iframing possibly malicious remotes

So this attack is less likely now that you killed the trusted server auto adding. But as far as I could tell you did not clear out old servers. Let me first describe the attack: 1. UserA on ServerA sends a federated share to userB on serverB 2. Assume serverA and serverB are trusted servers 3. No...