Invite ID available to team admins even without the "Add Members" permission

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

访问控制不恰当

Mattermost Server 安全漏洞

Mattermost Server是美国Mattermost公司的一套开源的消息传递平台。 Mattermost Server 9.5.2 之前、9.4.4 之前、9.3.3 之前、8.1.11 之前版本存在安全漏洞，该漏洞源于 /api/v4/ 中缺乏适当的访问控制，users/me/teams 端点允许团队管理员获取其团队的邀请 ID，从而允许他们邀请用户。

N/A

N/A