CVE-2024-43780: 
vulnerability analysis and mitigation

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, and 9.8.x <= 9.8.2 contain a permission enforcement vulnerability that was disclosed on August 22, 2024. The vulnerability allows guest users with read access to upload files to a channel, which represents a failure in proper permission enforcement (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and no user interaction. The scope is unchanged, with no impact on confidentiality, low impact on integrity, and no impact on availability (AttackerKB).

The vulnerability allows guest users to bypass intended permission restrictions, enabling them to upload files to channels where they should only have read access. This represents a violation of the principle of least privilege and could potentially be used to introduce unwanted content into Mattermost channels (NVD).

Organizations should upgrade to the fixed versions of Mattermost: version 9.5.8 or later for the 9.5.x series, version 9.8.3 or later for the 9.8.x series, version 9.9.2 or later for the 9.9.x series, or versions after 9.10.0 (Mattermost Security Updates).