Fedora Account System
Red Hat Associate
Red Hat Customer
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests. https://mattermost.com/security-updates
Created purple-mattermost tracking bugs for this issue: Affects: epel-all [bug 2277340] Affects: fedora-all [bug 2277341]