CVE-2023-4478

Summary

Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 7.8.8affected
MattermostMattermost0 <= 7.10.4affected
MattermostMattermost7.8.9unaffected
MattermostMattermost7.10.5unaffected
MattermostMattermost8.0.1unaffected
MattermostMattermost8.0.0affected

Weaknesses

  • CWE-74: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References