Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-39832

Summary
Assigner-Mattermost
Assigner Org ID-9302f53e-dde5-4bf3-b2f2-a83f91ac0eee
Published At-01 Aug, 2024 | 14:05
Updated At-07 Aug, 2024 | 14:09
Rejected At-
Credits

Permanently local data deletion by malicious remote

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Mattermost
Assigner Org ID:9302f53e-dde5-4bf3-b2f2-a83f91ac0eee
Published At:01 Aug, 2024 | 14:05
Updated At:07 Aug, 2024 | 14:09
Rejected At:
▼CVE Numbering Authority (CNA)
Permanently local data deletion by malicious remote

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled.

Affected Products
Vendor
Mattermost, Inc.Mattermost
Product
Mattermost
Default Status
unaffected
Versions
Affected
  • 9.9.0
  • From 9.5.0 through 9.5.6 (semver)
  • From 9.7.0 through 9.7.5 (semver)
  • From 9.8.0 through 9.8.1 (semver)
Unaffected
  • 9.10.0
  • 9.9.1
  • 9.5.7
  • 9.7.6
  • 9.8.2
Problem Types
TypeCWE IDDescription
CWECWE-754CWE-754: Improper Check for Unusual or Exceptional Conditions
Type: CWE
CWE ID: CWE-754
Description: CWE-754: Improper Check for Unusual or Exceptional Conditions
Metrics
VersionBase scoreBase severityVector
3.16.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Version: 3.1
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update Mattermost to versions 9.10.0, 9.9.1, 9.5.7, 9.7.6, 9.8.2 or higher.

Configurations
Workarounds
Exploits
Credits
finder
Juho Forsén
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://mattermost.com/security-updates
N/A
Hyperlink: https://mattermost.com/security-updates
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:responsibledisclosure@mattermost.com
Published At:01 Aug, 2024 | 15:15
Updated At:23 Aug, 2024 | 14:35

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.7HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Secondary3.16.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Type: Primary
Version: 3.1
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
CPE Matches
Mattermost, Inc.
mattermost
>>mattermost>>Versions from 9.5.0(inclusive) to 9.5.7(exclusive)
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
Mattermost, Inc.
mattermost
>>mattermost>>Versions from 9.7.0(inclusive) to 9.7.6(exclusive)
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
Mattermost, Inc.
mattermost
>>mattermost>>Versions from 9.8.0(inclusive) to 9.8.2(exclusive)
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
Mattermost, Inc.
mattermost
>>mattermost>>9.9.0
cpe:2.3:a:mattermost:mattermost:9.9.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-754Primarynvd@nist.gov
CWE-754Secondaryresponsibledisclosure@mattermost.com
CWE ID: CWE-754
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-754
Type: Secondary
Source: responsibledisclosure@mattermost.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://mattermost.com/security-updatesresponsibledisclosure@mattermost.com
Vendor Advisory
Hyperlink: https://mattermost.com/security-updates
Source: responsibledisclosure@mattermost.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

11Records found
CVE-2025-54463
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.05% / 15.93%
||
7 Day CHG~0.00%
Published-11 Aug, 2025 | 18:57
Updated-12 Aug, 2025 | 14:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unexpected Input to Cloud Webhook endpoint Causes DoS in Mattermost Confluence Plugin

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body.

Action-Not Available
Vendor-Mattermost, Inc.
Product-Mattermost Confluence Plugin
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2021-37862
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-3.7||LOW
EPSS-0.17% / 38.45%
||
7 Day CHG~0.00%
Published-17 Dec, 2021 | 16:10
Updated-04 Aug, 2024 | 01:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2025-52931
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.93%
||
7 Day CHG~0.00%
Published-11 Aug, 2025 | 18:57
Updated-12 Aug, 2025 | 14:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unexpected input to Update Channel Subscription endpoint causes DoS in Mattermost Confluence Plugin

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to update channel subscription endpoint with an invalid request body.

Action-Not Available
Vendor-Mattermost, Inc.
Product-Mattermost Confluence Plugin
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2024-11599
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-8.2||HIGH
EPSS-0.18% / 40.29%
||
7 Day CHG+0.02%
Published-28 Nov, 2024 | 09:42
Updated-29 Nov, 2024 | 19:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Domain Restriction Bypass on Registration

Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration.

Action-Not Available
Vendor-Mattermost, Inc.
Product-Mattermostmattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2023-5967
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.04%
||
7 Day CHG~0.00%
Published-06 Nov, 2023 | 15:24
Updated-12 Sep, 2024 | 19:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service via crashing the Calls Plugin

Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2023-49607
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.08%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 08:21
Updated-02 Aug, 2024 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Playbook plugin crash via missing interface type assertion

Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2025-22445
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-3.5||LOW
EPSS-0.05% / 15.21%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 06:55
Updated-09 Jan, 2025 | 15:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Misleading UI for undefined admin console settings in Calls causes security confusion

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

Action-Not Available
Vendor-Mattermost, Inc.
Product-Mattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2025-0503
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.04% / 10.40%
||
7 Day CHG~0.00%
Published-14 Feb, 2025 | 17:52
Updated-14 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Leaked User IDs and Metadata of Deleted DMs

Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.

Action-Not Available
Vendor-Mattermost, Inc.
Product-Mattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2024-4182
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 41.49%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 08:25
Updated-12 May, 2025 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermostmattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2024-42411
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.15% / 35.85%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 06:32
Updated-23 Aug, 2024 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User creation date manipulation in POST /api/v4/users

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to restrict the input in POST /api/v4/users which allows a user to manipulate the creation date in POST /api/v4/users tricking the admin into believing their account is much older.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermostmattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2017-18914
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.24% / 47.30%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 19:16
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
Details not found