CVE-2023-4478

Source
https://cve.org/CVERecord?id=CVE-2023-4478
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-4478.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-4478
Aliases
Published
2023-08-25T09:06:06.310Z
Modified
2026-07-15T02:09:27.396433655Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Parameter tampering in the registration resulting in blocked accounts to be created
Details

Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.

Database specific
{
    "cwe_ids": [
        "CWE-74"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/4xxx/CVE-2023-4478.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "7.8.8"
                },
                {
                    "last_affected": "7.10.4"
                },
                {
                    "introduced": "8.0.0"
                },
                {
                    "last_affected": "8.0.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "Mattermost"
}
References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:mattermost:mattermost_server:8.0.0:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.8.9"
        },
        {
            "introduced": "7.9.0"
        },
        {
            "fixed": "7.10.5"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "last_affected": "8.0.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ]
}

Affected versions

8.*
8.0.0
Other
cloud-2022-07-20-1
cloud-2022-08-10-1
cloud-2022-09-08-1
cloud-2022-10-06-1
cloud-2022-11-11-1
cloud-2022-11-24-1
cloud-2023-01-26-1
cloud-2023-03-29-1
v0.*
v0.5.0
v4.*
v4.10.0-rc1
v4.2.0-rc1
v4.3.0-rc1
v4.4.0-rc1
v4.5.0-rc1
v4.6.0-rc1
v4.6.0-rc2
v4.7.0-rc1
v4.8.0-rc1
v4.9.0-rc1
v5.*
v5.0.0-rc1
v5.1.0-rc1
v5.2.0-rc1
v5.2.0-rc2
v7.*
v7.10.0
v7.10.1
v7.10.2
v7.10.3
v7.10.4
v7.8.0
v7.8.1
v7.8.2
v7.8.3
v7.8.4
v7.8.5
v7.8.6
v7.8.7
v7.8.8
v8.*
v8.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-4478.json"