Mattermost 8.1.x<8.1.11: Improper Acc. lets call persist after user removal
CVE-2024-21848 Published on April 5, 2024
Users maintain access to active call after being removed from a channel
Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel
Vulnerability Analysis
CVE-2024-21848 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2024-21848 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2024-21848
stack.watch emails you whenever new vulnerabilities are published in Mattermost Server or MatterMost. Just hit a watch button to start following.
Affected Versions
Mattermost:- Version 8.1.0, <= 8.1.10 is affected.
- Version 9.5.0 is unaffected.
- Version 8.1.11 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.