{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11599", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2024-11-21T16:26:32.694Z", "datePublished": "2024-11-28T09:42:48.141Z", "dateUpdated": "2024-11-29T19:55:00.509Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "10.0.1", "status": "affected", "version": "10.0.0", "versionType": "semver"}, {"lessThanOrEqual": "10.1.1", "status": "affected", "version": "10.1.0", "versionType": "semver"}, {"lessThanOrEqual": "9.11.3", "status": "affected", "version": "9.11.0", "versionType": "semver"}, {"lessThanOrEqual": "9.5.11", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"status": "unaffected", "version": "10.2.0"}, {"status": "unaffected", "version": "10.0.2"}, {"status": "unaffected", "version": "10.1.2"}, {"status": "unaffected", "version": "9.11.4"}, {"status": "unaffected", "version": "9.5.12"}]}], "credits": [{"lang": "en", "type": "finder", "value": "jofra (v_jofra)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost versions 10.0.x &lt;= 10.0.1, 10.1.x &lt;= 10.1.1, 9.11.x &lt;= 9.11.3, 9.5.x &lt;= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration.</p>"}], "value": "Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-754", "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-11-28T09:42:48.141Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost to versions 10.2.0, 10.0.2, 10.1.2, 9.11.4, 9.5.12 or higher.</p>"}], "value": "Update Mattermost to versions 10.2.0, 10.0.2, 10.1.2, 9.11.4, 9.5.12 or higher."}], "source": {"advisory": "MMSA-2024-00386", "defect": ["https://mattermost.atlassian.net/browse/MM-60721"], "discovery": "EXTERNAL"}, "title": "Domain Restriction Bypass on Registration", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "mattermost", "product": "mattermost", "cpes": ["cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "10.0.0", "status": "affected", "lessThanOrEqual": "10.0.1", "versionType": "semver"}, {"version": "10.1.0", "status": "affected", "lessThanOrEqual": "10.1.1", "versionType": "semver"}, {"version": "9.11.0", "status": "affected", "lessThanOrEqual": "9.11.3", "versionType": "semver"}, {"version": "9.5.0", "status": "affected", "lessThanOrEqual": "9.5.11", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-29T19:52:25.780209Z", "id": "CVE-2024-11599", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-29T19:55:00.509Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11599", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-29T19:52:25.780209Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"], "vendor": "mattermost", "product": "mattermost", "versions": [{"status": "affected", "version": "10.0.0", "versionType": "semver", "lessThanOrEqual": "10.0.1"}, {"status": "affected", "version": "10.1.0", "versionType": "semver", "lessThanOrEqual": "10.1.1"}, {"status": "affected", "version": "9.11.0", "versionType": "semver", "lessThanOrEqual": "9.11.3"}, {"status": "affected", "version": "9.5.0", "versionType": "semver", "lessThanOrEqual": "9.5.11"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-29T19:54:53.238Z"}}], "cna": {"title": "Domain Restriction Bypass on Registration", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-60721"], "advisory": "MMSA-2024-00386", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "jofra (v_jofra)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "10.0.0", "versionType": "semver", "lessThanOrEqual": "10.0.1"}, {"status": "affected", "version": "10.1.0", "versionType": "semver", "lessThanOrEqual": "10.1.1"}, {"status": "affected", "version": "9.11.0", "versionType": "semver", "lessThanOrEqual": "9.11.3"}, {"status": "affected", "version": "9.5.0", "versionType": "semver", "lessThanOrEqual": "9.5.11"}, {"status": "unaffected", "version": "10.2.0"}, {"status": "unaffected", "version": "10.0.2"}, {"status": "unaffected", "version": "10.1.2"}, {"status": "unaffected", "version": "9.11.4"}, {"status": "unaffected", "version": "9.5.12"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 10.2.0, 10.0.2, 10.1.2, 9.11.4, 9.5.12 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost to versions 10.2.0, 10.0.2, 10.1.2, 9.11.4, 9.5.12 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration.", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost versions 10.0.x &lt;= 10.0.1, 10.1.x &lt;= 10.1.1, 9.11.x &lt;= 9.11.3, 9.5.x &lt;= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-754", "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2024-11-28T09:42:48.141Z"}}}, "cveMetadata": {"cveId": "CVE-2024-11599", "state": "PUBLISHED", "dateUpdated": "2024-11-29T19:55:00.509Z", "dateReserved": "2024-11-21T16:26:32.694Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2024-11-28T09:42:48.141Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "CCC5F47D-C2DB-43F7-ACD1-818BB90B92B3", "versionEndExcluding": "9.5.12", "versionStartIncluding": "9.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "248F920B-1EE2-40BD-876D-B485CC7E542E", "versionEndExcluding": "9.11.4", "versionStartIncluding": "9.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "45091AE5-AA1E-4AA7-BF77-7A44D0F65626", "versionEndExcluding": "10.0.2", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "08B91DB1-AC84-4446-86C3-30F796AE8EEB", "versionEndExcluding": "10.1.2", "versionStartIncluding": "10.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration."}, {"lang": "es", "value": "Las versiones de Mattermost 10.0.x &lt;= 10.0.1, 10.1.x &lt;= 10.1.1, 9.11.x &lt;= 9.11.3, 9.5.x &lt;= 9.5.11 no logran validar correctamente las direcciones de correo electr\u00f3nico, lo que permite que un usuario no autenticado eluda las restricciones de dominio de correo electr\u00f3nico mediante una entrada cuidadosamente manipulada en el registro de correo electr\u00f3nico."}], "id": "CVE-2024-11599", "lastModified": "2025-10-01T18:25:03.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-11-28T10:15:06.657", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{}