Home > Vulnerability Database > CVE-2024-25633

Mend.io Vulnerability Database

CVE-2024-25633

Good to know:

Date: August 15, 2024

eLabFTW is an open source electronic lab notebook for research labs. In an eLabFTW system, one can configure who is allowed to create new user accounts. A vulnerability has been found starting in version 4.4.0 and prior to version 5.0.0 that allows regular users to create new, validated accounts in their team. If the system has anonymous access enabled (disabled by default) an unauthenticated user can create regular users in any team. This vulnerability has been fixed since version 5.0.0, released on February 17th 2024. Some workarounds are available. Disabling both options that allow *administrators* to create users will provide a mitigation. Additionally, disabling anonymous user access will stop anonymous access (including using existing access keys).

Language: PHP

Severity Score

5.4

Related Resources (3)

Url: https://github.com/elabftw/elabftw/security/advisories/GHSA-v677-8x8p-636v

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-25633

Url: https://www.mend.io/vulnerability-database/CVE-2024-25633

Severity Score

5.4

Weakness Type (CWE)

Incorrect Privilege Assignment

CWE-266

Top Fix

Upgrade Version

Upgrade to version 5.0.0

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-25633

Good to know:

Date: August 15, 2024

Language: PHP

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?