Mattermost Server
Approved changes feed: RSS · Atom
cpe:2.3:a:mattermost:mattermost_server:9.9.0:*:*:*:*:*:*:*
part: a version: 9.9.0 update: *
| Vendor | Mattermost (ed0788ef-af60-58f1-b6aa-68289d9946dc) |
|---|---|
| Product | Mattermost Server (657bc445-594e-5ca1-a676-4f18538f1c02) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2024-41926 |
vulnerable | 2026-06-03 14:56:35.252658 |
Malicious remote can claim that a user was synced from another remote
LOW (2.7)
Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.
Published: 2024-08-01T14:05:10.650Z
Updated: 2024-08-01T14:32:10.107Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-41162 |
vulnerable | 2026-06-03 14:56:34.170762 |
Malicious remote can make an arbitrary local channel read-only
MEDIUM (4.1)
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only.
Published: 2024-08-01T14:05:09.501Z
Updated: 2024-08-02T15:01:29.868Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-41144 |
vulnerable | 2026-06-03 14:56:34.092639 |
Malicious remote can create/update/delete arbitrary posts in arbitrary channels
MEDIUM (5.5)
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels
Published: 2024-08-01T14:05:08.491Z
Updated: 2024-08-05T16:58:34.663Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39839 |
vulnerable | 2026-06-03 14:56:22.559603 |
Remote username set to an arbitrary string by remote user
MEDIUM (4.3)
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.
Published: 2024-08-01T14:05:07.339Z
Updated: 2024-08-01T18:04:42.351Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39837 |
vulnerable | 2026-06-03 14:56:22.553745 |
Malicious remote can create arbitrary channels
LOW (3.8)
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
Published: 2024-08-01T14:05:06.182Z
Updated: 2024-08-01T20:47:51.530Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.