CVE-2024-39836

MEDIUM

Mattermost <9.9.1, 9.5.7, 9.10.0, 9.8.2 - Info Disclosure

Title source: llm

Description

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 4.8

EPSS 0.0052

EPSS Percentile 66.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Classification

CWE

CWE-693

Status published

Affected Products (2)

mattermost/mattermost < 9.5.8

mattermost/mattermost < 9.9.2Go

Timeline

Published Aug 22, 2024

Tracked Since Feb 18, 2026