GHSA-g376-m3h3-mj4r

Suggest an improvement
Source
https://github.com/advisories/GHSA-g376-m3h3-mj4r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g376-m3h3-mj4r/GHSA-g376-m3h3-mj4r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g376-m3h3-mj4r
Aliases
Published
2024-10-29T09:30:51Z
Modified
2024-11-04T21:25:15Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Mattermost server allows authenticated user to delete arbitrary post
Details

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.

References

Affected packages

Go / github.com/mattermost/mattermost/server/v8

Package

Name
github.com/mattermost/mattermost/server/v8
View open source insights on deps.dev
Purl
pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.0.0-20240926115259-20ed58906adc