CVE-2018-21254

An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt