CVE-2024-5270Improper Access Control in Server

CWE-284Improper Access ControlCWE-79Cross-site Scripting3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 56.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mattermost ServerMattermost
Timeline
PublishedMay 26
Latest updateJan 22

Description

Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDmattermost/mattermost_server8.1.08.1.13+3
CVEListV5mattermost/mattermost9.5.09.5.3+3

🔴Vulnerability Details

2
GHSA
Withdrawn Advisory: Umbraco Rich Text Display allows Cross-Site Scripting2025-01-22
CVEList
SAML to email switch possible when email signin is disabled2024-05-26
CVE-2024-5270 — Improper Access Control in Server | cvebase