Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
Solution:
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Link | Tags |
---|---|
https://mattermost.com/security-updates/ | vendor advisory |