Cross-site Request Forgery (CSRF)

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the UpdateAccessControlPolicyActiveStatus endpoint. An attacker can change the active status of access control...

Mattermost doesn't properly validate CSRF tokens

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to properly validate CSRF tokens in the /api/v4/accesscontrolpolicies/policyid/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a craft...