GO-2024-3022 Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server

Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server...

Mattermost allows remote actor to set arbitrary RemoteId values for synced users

Mattermost versions 9.9.x = 9.9.0 and 9.5.x = 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote...

GHSA-9FPW-C9X7-CV3J Mattermost allows remote actor to set arbitrary RemoteId values for synced users

Mattermost versions 9.9.x = 9.9.0 and 9.5.x = 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote...

PT-2024-29638 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.5.x through 9.5.6 Mattermost versions 9.9.x through 9.9.0 Description: The issue allows a malicious remote to set arbitrary RemoteId values for synced users, which can lead to claiming that a user was synced from another...