Insecure Endpoint Allows Team Admins to Invite Users Despite Removal of 'Add Members' Permission
CVE-2024-29221

3.8LOW

Key Information:

Vendor: Mattermost
Status: Mattermost Server
Vendor: CVE Published:; 5 April 2024

Summary

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

3.8

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 5, 2024