Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Invite ID available to team admins even without the "Add Members" permission
Vulnerability Description
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Vulnerability Type
访问控制不恰当
Vulnerability Title
Mattermost Server 安全漏洞
Vulnerability Description
Mattermost Server是美国Mattermost公司的一套开源的消息传递平台。 Mattermost Server 9.5.2 之前、9.4.4 之前、9.3.3 之前、8.1.11 之前版本存在安全漏洞,该漏洞源于 /api/v4/ 中缺乏适当的访问控制,users/me/teams 端点允许团队管理员获取其团队的邀请 ID,从而允许他们邀请用户。
CVSS Information
N/A
Vulnerability Type
N/A