CVE-2024-39836

Published: Aug 22, 2024Modified: Aug 23, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.

Affected (4)

Products: Mattermost: Mattermost

Mattermost

1 product

Mattermost

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Mattermost Mattermost	From 9.10.0 to 9.10.1
Mattermost Mattermost	From 9.5.0 to 9.5.8
Mattermost Mattermost	From 9.8.0 to 9.8.3
Mattermost Mattermost	From 9.9.0 to 9.9.2

Related CWEs

CWE-693

Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References (1)

https://mattermost.com/security-updates

Source: responsibledisclosure@mattermost.com

Vendor Advisory

Timeline

No history available yet.