cbcvebase.
CVE-2024-40886
published 2024-08-22

CVE-2024-40886: Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection…

PriorityP344high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.19%
8.8th percentile
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system console.

Affected

16 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 9.10.0+incompatible < 9.10.1+incompatible9.10.1+incompatible
github.commattermost_mattermost-server>= 9.5.0+incompatible < 9.5.8+incompatible9.5.8+incompatible
github.commattermost_mattermost-server>= 9.8.0+incompatible < 9.8.3+incompatible9.8.3+incompatible
github.commattermost_mattermost-server>= 9.9.0+incompatible < 9.9.2+incompatible9.9.2+incompatible
github.commattermost_mattermost_server_v8>= 9.10.0 < 9.10.19.10.1
github.commattermost_mattermost_server_v8>= 9.5.0 < 9.5.89.5.8
github.commattermost_mattermost_server_v8>= 9.8.0 < 9.8.39.8.3
github.commattermost_mattermost_server_v8>= 9.9.0 < 9.9.29.9.2
mattermostmattermost
mattermostmattermost>= 9.10.0 < 9.10.19.10.1
mattermostmattermost>= 9.5.0 < 9.5.89.5.8
mattermostmattermost9.5.0 – 9.5.7
mattermostmattermost>= 9.8.0 < 9.8.39.8.3
mattermostmattermost9.8.0 – 9.8.2
mattermostmattermost>= 9.9.0 < 9.9.29.9.2
mattermostmattermost9.9.0 – 9.9.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.