We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE

PUBLISHED

CVE-2024-36257

Lack of permission check when updating the profile picture of a remote user (shared channels enabled)

Assigner	Mattermost
Reserved	2024-07-01
Published	2024-07-03
Updated	2024-07-03

Description

Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A.

LOW: 2.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-284: Improper Access Control

Product status

Default status

unaffected

9.8.0

affected

9.5.0

affected

9.9.0

unaffected

9.8.1

unaffected

9.5.6

unaffected

Credits

Juho Forsén finder

References

https://mattermost.com/security-updates

cve.org CVE-2024-36257

nvd.nist.gov CVE-2024-36257

Download JSON

https://cve.threatint.com/CVE/CVE-2024-36257

Find us on

Data Privacy
Terms of Use