CVE-2024-42411 MEDIUM

CVE-2024-42411: User creation date manipulation in POST /api/v4/users

Vendor Mattermost
Product Mattermost
Weakness CWE-754
Published August 22, 2024
Last update August 22, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to restrict the input in POST /api/v4/users which allows a user to manipulate the creation date in POST /api/v4/users tricking the admin into believing their account is much older.

Key dates

02Disclosure timeline

August 22, 2024 CVE published
August 22, 2024 Record updated