4.3
CVE-2025-11777
- EPSS 0.03%
- Veröffentlicht 13.11.2025 17:32:03
- Zuletzt bearbeitet 17.11.2025 18:05:07
- Quelle responsibledisclosure@mattermo
- CVE-Watchlists
- Unerledigt
Cross-team channel membership access
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mattermost ≫ Mattermost Server Version >= 10.5.0 < 10.5.12
Mattermost ≫ Mattermost Server Version >= 10.11.0 < 10.11.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.076 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
| responsibledisclosure@mattermost.com | 3.1 | 1.6 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.