CVE-2024-39836

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.
References
Link Resource
https://mattermost.com/security-updates Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

History

23 Aug 2024, 16:16

Type Values Removed Values Added
First Time Mattermost mattermost
Mattermost
CPE cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo
References () https://mattermost.com/security-updates - () https://mattermost.com/security-updates - Vendor Advisory
CVSS v2 : unknown
v3 : 4.8
v2 : unknown
v3 : 6.5

22 Aug 2024, 12:48

Type Values Removed Values Added
Summary
  • (es) Las versiones de Mattermost 9.9.x &lt;= 9.9.1, 9.5.x &lt;= 9.5.7, 9.10.x &lt;= 9.10.0 y 9.8.x &lt;= 9.8.2 no garantizan que los usuarios remotos/sintéticos no puedan crear sesiones ni restablecer contraseñas, que permite que las direcciones de correo electrónico eliminadas, creadas por canales compartidos, se utilicen para recibir notificaciones por correo electrónico y restablecer contraseñas, cuando sean correos electrónicos válidos y funcionales.

22 Aug 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-22 07:15

Updated : 2024-08-23 16:16


NVD link : CVE-2024-39836

Mitre link : CVE-2024-39836

CVE.ORG link : CVE-2024-39836


JSON object : View

Products Affected

mattermost

  • mattermost
CWE
NVD-CWE-noinfo CWE-693

Protection Mechanism Failure