Описание
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.
Ссылки
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 9.11.0 (включая) до 9.11.13 (исключая)Версия от 10.5.0 (включая) до 10.5.4 (исключая)
Одно из
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:10.7.0:-:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:10.7.0:rc1:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:10.7.0:rc2:*:*:*:*:*:*
EPSS
Процентиль: 8%
0.0003
Низкий
3.1 Low
CVSS3
4.3 Medium
CVSS3
Дефекты
CWE-863
Связанные уязвимости
CVSS3: 3.1
debian
8 месяцев назад
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11 ...
CVSS3: 3.1
github
8 месяцев назад
Mattermost fails to properly enforce access control restrictions for System Manager roles
EPSS
Процентиль: 8%
0.0003
Низкий
3.1 Low
CVSS3
4.3 Medium
CVSS3
Дефекты
CWE-863