Attacker Can Participate in Active Calls Despite Being Removed from Channel
CVE-2024-21848

3.1LOW

Key Information:

Vendor: Mattermost
Status: Mattermost Server
Vendor: CVE Published:; 5 April 2024

Summary

Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 5, 2024