We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-50052

Arbitrary post deletion via Playbooks /ignore-thread endpoint



AssignerMattermost
Reserved2024-10-21
Published2024-10-29
Updated2024-10-29

Description

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.



MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Product status

Default status
unaffected

9.10.0
affected

9.11.0
affected

9.5.0
affected

10.0.0
unaffected

9.10.3
unaffected

9.11.2
unaffected

9.5.10
unaffected

Credits

Jesse Hallam finder

References

https://mattermost.com/security-updates

cve.org CVE-2024-50052

nvd.nist.gov CVE-2024-50052

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-50052
Subscribe to our newsletter to learn more about our work.