CVE-2024-40884

Mattermost Server 9.5.x (up to 9.5.7) and 9.10.x (up to 9.10.0) are affected by an improper access control issue that allows a team admin user without the Add Team Members permission to disable the invite URL. The issue is caused by insufficient enforcement of permissions (no explicit access cont...

CVE-2024-4198

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests...