CVE-2021-43833

Name of the Vulnerable Software and Affected Versions: eLabFTW versions prior to 4.2.0

Description: The issue allows any authenticated user to gain access to arbitrary accounts by setting a specially crafted email address, impacting instances without an explicit email domain name allowlist. Administrators and targeted users are not notified of account changes. An attacker needs to control an account to exploit this. The default settings require administrators to validate newly created accounts.

Recommendations: For versions prior to 4.2.0, upgrade to at least version 4.2.0 to resolve the issue. For users unable to upgrade, enable an email domain allow list from the Sysconfig panel, Security tab, to completely resolve the issue.