CVE-2024-29221 Information

Description

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2 9.4.x before 9.4.4 9.3.x before 9.3.3 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team thus allowing them to invite users even if the \Add Members\ permission was explicitly removed from team admins.

Reference

https://mattermost.com/security-updates