CVE-2024-21848 LOW

CVE-2024-21848: Users maintain access to active call after being removed from a channel

Vendor Mattermost
Product Mattermost
Weakness CWE-284
Published April 5, 2024
Last update February 27, 2025

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel

Key dates

02Disclosure timeline

April 5, 2024 CVE published
February 27, 2025 Record updated