CVE-2024-39361 Information

Description

Mattermost versions 9.8.0 9.7.x <= 9.7.4 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts

Reference

https://mattermost.com/security-updates