Home
MEDIUM: 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NDefault status
unaffected
10.7.0 (semver)
affected
10.6.0 (semver)
affected
10.5.0 (semver)
affected
9.11.0 (semver)
affected
10.8.0
unaffected
10.7.1
unaffected
10.6.3
unaffected
10.5.4
unaffected
9.11.13
unaffected
Description
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.
Problem types
CWE-303: Incorrect Implementation of Authentication Algorithm
Product status
10.7.0 (semver)
10.6.0 (semver)
10.5.0 (semver)
9.11.0 (semver)
10.8.0
10.7.1
10.6.3
10.5.4
9.11.13
Credits
eAhmed
References
mattermost.com/security-updates