Vulnerability Details CVE-2024-6428
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 15.2%
CVSS Severity
CVSS v3 Score 5.3
Products affected by CVE-2024-6428
-
cpe:2.3:a:mattermost:mattermost:9.5.0
-
cpe:2.3:a:mattermost:mattermost:9.5.1
-
cpe:2.3:a:mattermost:mattermost:9.5.2
-
cpe:2.3:a:mattermost:mattermost:9.5.3
-
cpe:2.3:a:mattermost:mattermost:9.5.4
-
cpe:2.3:a:mattermost:mattermost:9.5.5
-
cpe:2.3:a:mattermost:mattermost:9.6.0
-
cpe:2.3:a:mattermost:mattermost:9.6.1
-
cpe:2.3:a:mattermost:mattermost:9.6.2
-
cpe:2.3:a:mattermost:mattermost:9.7.0
-
cpe:2.3:a:mattermost:mattermost:9.7.1
-
cpe:2.3:a:mattermost:mattermost:9.7.2
-
cpe:2.3:a:mattermost:mattermost:9.7.3
-
cpe:2.3:a:mattermost:mattermost:9.7.4
-
cpe:2.3:a:mattermost:mattermost:9.8.0