Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-48872

Summary
Assigner-Mattermost
Assigner Org ID-9302f53e-dde5-4bf3-b2f2-a83f91ac0eee
Published At-16 Dec, 2024 | 08:01
Updated At-16 Dec, 2024 | 16:04
Rejected At-
Credits

Bypass of "Max failed attempts" restriction via race condition

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Mattermost
Assigner Org ID:9302f53e-dde5-4bf3-b2f2-a83f91ac0eee
Published At:16 Dec, 2024 | 08:01
Updated At:16 Dec, 2024 | 16:04
Rejected At:
▼CVE Numbering Authority (CNA)
Bypass of "Max failed attempts" restriction via race condition

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests

Affected Products
Vendor
Mattermost, Inc.Mattermost
Product
Mattermost
Default Status
unaffected
Versions
Affected
  • From 10.1.0 through 10.1.2 (semver)
  • From 10.0.0 through 10.0.2 (semver)
  • From 9.11.0 through 9.11.4 (semver)
  • From 9.5.0 through 9.5.12 (semver)
Unaffected
  • 10.2.0
  • 10.1.3
  • 10.0.3
  • 9.11.5
  • 9.5.13
Problem Types
TypeCWE IDDescription
CWECWE-362CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Type: CWE
CWE ID: CWE-362
Description: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Metrics
VersionBase scoreBase severityVector
3.14.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update Mattermost Server to versions 10.2.0, 10.1.3, 10.0.3, 9.11.5, 9.5.13 or higher.

Configurations
Workarounds
Exploits
Credits
finder
Roman Shchekin (qtros)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://mattermost.com/security-updates
N/A
Hyperlink: https://mattermost.com/security-updates
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:responsibledisclosure@mattermost.com
Published At:16 Dec, 2024 | 08:15
Updated At:15 Oct, 2025 | 14:13

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CPE Matches
Mattermost, Inc.
mattermost
>>mattermost_server>>Versions from 9.5.0(inclusive) to 9.5.13(exclusive)
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Mattermost, Inc.
mattermost
>>mattermost_server>>Versions from 9.11.0(inclusive) to 9.11.5(exclusive)
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Mattermost, Inc.
mattermost
>>mattermost_server>>Versions from 10.0.0(inclusive) to 10.0.3(exclusive)
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Mattermost, Inc.
mattermost
>>mattermost_server>>Versions from 10.1.0(inclusive) to 10.1.3(exclusive)
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-362Secondaryresponsibledisclosure@mattermost.com
CWE ID: CWE-362
Type: Secondary
Source: responsibledisclosure@mattermost.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://mattermost.com/security-updatesresponsibledisclosure@mattermost.com
Vendor Advisory
Hyperlink: https://mattermost.com/security-updates
Source: responsibledisclosure@mattermost.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

8Records found
CVE-2024-39836
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.52% / 66.53%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 06:27
Updated-23 Aug, 2024 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Munged email address used for password resets and notifications

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2023-3591
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.20% / 41.91%
||
7 Day CHG~0.00%
Published-17 Jul, 2023 | 15:30
Updated-21 Oct, 2024 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lack of previous password reset tokens on new token creation

Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-287
Improper Authentication
CVE-2024-36250
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.22% / 44.43%
||
7 Day CHG~0.00%
Published-09 Nov, 2024 | 17:18
Updated-14 Nov, 2024 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MFA Code Replay

Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within ~30 seconds

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-303
Incorrect Implementation of Authentication Algorithm
CWE ID-CWE-294
Authentication Bypass by Capture-replay
CVE-2024-1949
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-2.6||LOW
EPSS-0.27% / 49.78%
||
7 Day CHG~0.00%
Published-29 Feb, 2024 | 10:41
Updated-13 Dec, 2024 | 17:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2024-50313
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-6.9||MEDIUM
EPSS-0.56% / 67.88%
||
7 Day CHG~0.00%
Published-12 Nov, 2024 | 12:49
Updated-27 Aug, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.16.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.7 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions < V10.6.15 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions < V9.24.29 only if the basic authentication mechanism is used by the application). The basic authentication implementation of affected applications contains a race condition vulnerability which could allow unauthenticated remote attackers to circumvent default account lockout measures.

Action-Not Available
Vendor-mendixSiemens AG
Product-mendixMendix Runtime V10Mendix Runtime V10.12Mendix Runtime V9Mendix Runtime V8Mendix Runtime V10.6
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2020-10577
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.25% / 48.39%
||
7 Day CHG~0.00%
Published-14 Mar, 2020 | 19:07
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Janus through 0.9.1. janus.c has multiple concurrent threads that misuse the source property of a session, leading to a race condition when claiming sessions.

Action-Not Available
Vendor-meetechon/a
Product-janusn/a
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2026-24040
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.01% / 1.18%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 20:38
Updated-18 Feb, 2026 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jsPDF has a Shared State Race Condition in addJS Plugin

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0.

Action-Not Available
Vendor-parallparallax
Product-jspdfjsPDF
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2025-66803
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 12.78%
||
7 Day CHG~0.00%
Published-20 Jan, 2026 | 00:00
Updated-30 Jan, 2026 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.

Action-Not Available
Vendor-hotwiredn/a
Product-turbon/a
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Details not found