Mattermost allows remote/synthetic users to create sessions, reset passwords

GHSA-c6vp-jjgv-38wj · CVE-2024-39836 · GO-2024-3096

Published Aug 22, 2024 · Modified Aug 30, 2024

Description

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-39836
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes