Upstream information
Description
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
| CNA (responsibledisclosure@mattermost.com) | |
|---|---|
| Base Score | 4.3 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | None |
| Integrity Impact | Low |
| Availability Impact | None |
| CVSSv3 Version | 3.1 |
SUSE Security Advisories:
- openSUSE-SU-2024:0350-1, published Tue Nov 5 22:50:01 2024
- openSUSE-SU-2024:14458-1, published Tue Nov 5 18:49:12 2024
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| SUSE Package Hub 12 |
| Patchnames: openSUSE-2024-350 |
| openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2024-14458 |
SUSE Timeline for this CVE
CVE page created: Tue Oct 29 10:00:08 2024CVE page last modified: Wed Nov 6 00:57:36 2024