Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
IDOR in CreatePost API allows for timeboxed message disclosure
Vulnerability Description
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
Mattermost 安全漏洞
Vulnerability Description
Mattermost是美国Mattermost公司的一个开源协作平台。 Mattermost 10.5.6及之前的10.5.x版本、10.8.1及之前的10.8.x版本、10.7.3及之前的10.7.x版本、9.11.16及之前的9.11.x版本存在安全漏洞,该漏洞源于检索PendingPostID缓存帖子时未验证授权,可能导致认证用户读取无权访问的私人频道帖子。
CVSS Information
N/A
Vulnerability Type
N/A