CVE-2024-2447

Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.

Published: Apr 5, 2024
Updated: May 4, 2025
CVE: CVE-2024-2447
GHSA: GHSA-wp43-vprh-c3w5
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-284
CWE-346

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost/server/v8	8.1.0	8.1.11
github.com/mattermost/mattermost/server/v8	9.5.0	9.5.2
github.com/mattermost/mattermost/server/v8	9.4.0	9.4.4
github.com/mattermost/mattermost/server/v8	9.3.0	9.3.3
mattermost / mattermost_server	8.1.0	8.1.11
mattermost / mattermost_server	9.5.0	9.5.2
mattermost / mattermost_server	9.4.0	9.4.4
mattermost / mattermost_server	9.3.0	9.3.3

https://mattermost.com/security-updates

Vulnerability Database

289,784

CVE-2024-2447