16 matches found
EUVD-2025-0038
Malicious code in bioql PyPI...
Improper Authorization
github.com/mattermost/mattermost-server is vulnerable to Improper Authorization. The vulnerability is due to insufficient validation of authorization for team scheme role modifications, which allows an attacker Team Admins to demote Team Members to Guests via the affected API endpoint...
GHSA-4276-CM8C-788H Mattermost Fails to Properly Validate Team Role Modification
Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint...
Mattermost Server 9.11.x < 9.11.6 (MMSA-2024-00378)
The version of Mattermost Server installed on the remote host is prior to 9.11.6. It is, therefore, affected by a improper access control vulnerability as referenced in the MMSA-2024-00378 advisory. Mattermost versions 9.11.x prior to 9.11.5 fail to enforce invite permissions, which allows team...
SUSE CVE-2025-22449
Mattermost versions 9.11.x = 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allowopeninvite" field via making their team public...
Mattermost Incorrect Authorization vulnerability
Mattermost versions 9.11.x = 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allowopeninvite" field via making their team public...
CVE-2025-22449 Access control flaw for team admins allows unauthorized team additions
Mattermost versions 9.11.x = 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allowopeninvite" field via making their team public...
CVE-2025-22449 Access control flaw for team admins allows unauthorized team additions
Mattermost versions 9.11.x = 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allowopeninvite" field via making their team public...
GO-2024-2793 Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server
Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server...
Improper Access Control
Mattermost Server is vulnerable to Improper Access Control. The vulnerability is due to incomplete validation of role changes within team.go, allowing an attacker authenticated as a team admin to promote guests to team admins through crafted HTTP requests...
Mattermost allows team admins to promote guests to team admins
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests...
CVE-2024-4195
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests...
Mattermost Server Improper Access Control
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...
CVE-2024-29221
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...
CVE-2024-29221 Invite ID available to team admins even without the "Add Members" permission
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...
HackerOne: Team Member███ associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports
Hi Team, Legend ====== AppSecBounty = Bug ProgramSandbox Program Hacker1001 = Bug Reporter BugAdmin = Program Admin BugMember = Team Member associated ProgramManagement Group ProgramManagement Group = Custom Group created with "Program Management Permission" Steps: 1. Hacker1001 reports a Bug to...