CVE-2024-28949 MEDIUM

CVE-2024-28949: DoS via a large number of User Preferences

Vendor Mattermost
Product Mattermost
Weakness CWE-400
Published April 5, 2024
Last update September 3, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.

Key dates

02Disclosure timeline

April 5, 2024 CVE published
September 3, 2024 Record updated