CVE-2024-5272

EUVD-2024-46509
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MattermostCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
Affected Products (NVD)
VendorProductVersion
mattermostmattermost_server
8.1.0 ≤
𝑥
< 8.1.13
mattermostmattermost_server
9.5.0 ≤
𝑥
< 9.5.4
mattermostmattermost_server
9.6.0 ≤
𝑥
< 9.6.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mattermost.com/security-updates
https://mattermost.com/security-updates