Mattermost Fails to Check User Access to `ExperimentalSettings`
Low severity
GitHub Reviewed
Published
May 15, 2025
to the GitHub Advisory Database
•
Updated May 17, 2025
Package
Affected versions
>= 10.5.0, <= 10.5.2
>= 9.11.0, <= 9.11.11
< 8.0.0-20250411064244-844447fbd57c
Patched versions
10.5.3
9.11.12
8.0.0-20250411064244-844447fbd57c
Description
Published by the National Vulnerability Database
May 15, 2025
Published to the GitHub Advisory Database
May 15, 2025
Reviewed
May 17, 2025
Last updated
May 17, 2025
Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 fail to check
RestrictSystemAdminsetting if user doesn't have access toExperimentalSettingswhich allows a System Manager to accessExperimentSettingswhenRestrictSystemAdminis true via System Console.References