CVE-2024-1942

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.

Published: Feb 29, 2024
Updated: May 4, 2025
CVE: CVE-2024-1942
GHSA: GHSA-hwjf-4667-gqwx
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost/server/v8	9.3.0	9.3.1
github.com/mattermost/mattermost/server/v8	9.2.0	9.2.5
github.com/mattermost/mattermost/server/v8	-	8.1.9
mattermost / mattermost_server	8.1.0	8.1.9
mattermost / mattermost_server	9.2.0	9.2.5
mattermost / mattermost_server	9.3.0	9.3.0.x

https://mattermost.com/security-updates

Vulnerability Database

289,784

CVE-2024-1942