cbcvebase.
CVE-2024-39836
published 2024-08-22

CVE-2024-39836: Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or…

PriorityP334medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.26%
17.4th percentile
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.

Affected

16 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 9.10.0+incompatible < 9.10.1+incompatible9.10.1+incompatible
github.commattermost_mattermost-server>= 9.5.0+incompatible < 9.5.8+incompatible9.5.8+incompatible
github.commattermost_mattermost-server>= 9.8.0+incompatible < 9.8.3+incompatible9.8.3+incompatible
github.commattermost_mattermost-server>= 9.9.0+incompatible < 9.9.2+incompatible9.9.2+incompatible
github.commattermost_mattermost_server_v8>= 9.10.0 < 9.10.19.10.1
github.commattermost_mattermost_server_v8>= 9.5.0 < 9.5.89.5.8
github.commattermost_mattermost_server_v8>= 9.8.0 < 9.8.39.8.3
github.commattermost_mattermost_server_v8>= 9.9.0 < 9.9.29.9.2
mattermostmattermost
mattermostmattermost>= 9.10.0 < 9.10.19.10.1
mattermostmattermost>= 9.5.0 < 9.5.89.5.8
mattermostmattermost9.5.0 – 9.5.7
mattermostmattermost>= 9.8.0 < 9.8.39.8.3
mattermostmattermost9.8.0 – 9.8.2
mattermostmattermost>= 9.9.0 < 9.9.29.9.2
mattermostmattermost9.9.0 – 9.9.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.