Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.
References
History

Fri, 13 Dec 2024 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost Server
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost
Mattermost mattermost Server

cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2024-04-05T08:15:07.130Z

Updated: 2024-08-02T01:10:54.523Z

Reserved: 2024-04-03T10:03:48.289Z

Link: CVE-2024-29221

cve-icon Vulnrichment

Updated: 2024-08-02T01:10:54.523Z

cve-icon NVD

Status : Analyzed

Published: 2024-04-05T09:15:09.680

Modified: 2024-12-13T16:21:08.447

Link: CVE-2024-29221

cve-icon Redhat

No data.