cbcvebase.
CVE-2024-36492
published 2024-08-01

CVE-2024-36492: Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in…

PriorityP432medium6.4CVSS 3.1
AVNACLPRLUINSCCNILAL
EPSS
0.30%
21.3th percentile
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.

Affected

15 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 9.5.0+incompatible < 9.5.7+incompatible9.5.7+incompatible
github.commattermost_mattermost-server>= 9.7.0+incompatible < 9.7.6+incompatible9.7.6+incompatible
github.commattermost_mattermost-server>= 9.8.0+incompatible < 9.8.2+incompatible9.8.2+incompatible
github.commattermost_mattermost-server>= 9.9.0+incompatible < 9.9.1+incompatible9.9.1+incompatible
github.commattermost_mattermost_server_v8>= 9.5.0 < 9.5.79.5.7
github.commattermost_mattermost_server_v8>= 9.7.0 < 9.7.69.7.6
github.commattermost_mattermost_server_v8>= 9.8.0 < 9.8.29.8.2
github.commattermost_mattermost_server_v8>= 9.9.0 < 9.9.19.9.1
mattermostmattermost
mattermostmattermost>= 9.5.0 < 9.5.79.5.7
mattermostmattermost9.5.0 – 9.5.6
mattermostmattermost>= 9.7.0 < 9.7.69.7.6
mattermostmattermost9.7.0 – 9.7.5
mattermostmattermost>= 9.8.0 < 9.8.29.8.2
mattermostmattermost9.8.0 – 9.8.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.