CVE-2024-42411

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.8.x through 9.8.2 Mattermost versions 9.9.x through 9.9.1 Mattermost versions 9.5.x through 9.5.7 Mattermost versions 9.10.x through 9.10.0

Description The issue arises from the failure to restrict input in the POST /api/v4/users endpoint, allowing a user to manipulate the creation date. This can trick administrators into believing the account is much older than it actually is.

Recommendations For versions 9.8.x through 9.8.2, update to a version later than 9.8.2 to resolve the issue. For versions 9.9.x through 9.9.1, update to a version later than 9.9.1 to resolve the issue. For versions 9.5.x through 9.5.7, update to a version later than 9.5.7 to resolve the issue. For versions 9.10.x through 9.10.0, update to a version later than 9.10.0 to resolve the issue. As a temporary workaround, consider restricting access to the POST /api/v4/users endpoint until a patch is available.