CVE-2024-25633

Name of the Vulnerable Software and Affected Versions eLabFTW versions 4.4.0 through 4.9.x are not explicitly mentioned, but since the vulnerability exists starting in version 4.4.0 and prior to version 5.0.0, it can be simplified to: eLabFTW versions 4.4.0 through 4.9.x is not needed, instead use: eLabFTW versions prior to 5.0.0

Description A vulnerability in eLabFTW allows regular users to create new, validated accounts in their team. If the system has anonymous access enabled, an unauthenticated user can create regular users in any team. This issue can allow a user to maintain persistence in the system, create separate accounts under different names, and produce misleading revision histories. No additional privileges are granted to the new user.

Recommendations For versions prior to 5.0.0, upgrade to version 5.0.0 to receive a patch. As a temporary workaround, consider disabling both options that allow administrators to create users. Additionally, disabling anonymous user access will stop anonymous access, including using existing access keys.