CVE-2023-4478Injection in Server

CWE-74Injection3 documents3 sources
Severity
8.2HIGHNVD
CNA4.3
EPSS
0.3%
top 46.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mattermost ServerMattermost
Timeline
PublishedAug 25

Description

Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

NVDmattermost/mattermost_server7.9.07.10.5+2
CVEListV5mattermost/mattermost7.8.8+2

🔴Vulnerability Details

2
GHSA
GHSA-65h8-5q72-mrp3: Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus2023-08-25
CVEList
Parameter tampering in the registration resulting in blocked accounts to be created2023-08-25
CVE-2023-4478 — Injection in Mattermost Server | cvebase