Uncontrolled Search Path Element

Summary

Mattermost versions fail to sanitize filenames in the archive extractor, which allows authenticated users to write files to arbitrary locations on the filesystem by uploading archives containing path traversal sequences in filenames. This vulnerability can potentially lead to Remote Code Execution. The issue affects instances where file uploads and document search by content are enabled (`FileSettings.EnableFileAttachments = true` and `FileSettings.ExtractContent = true`). These configuration settings are enabled by default. This issue affects versions 9.11.x prior to 9.11.16-rc1, 10.5.x prior to 10.5.6-rc1, 10.6.x prior to 10.6.6-rc1, 10.7.x prior to 10.7.3-rc1, and 10.8.x prior to 10.8.1.