4.2

CVE-2025-2571

EPSS 0.17%
Veröffentlicht 30.05.2025 14:22:08
Zuletzt bearbeitet 15.10.2025 14:15:37
Quelle responsibledisclosure@mattermo
CVE-Watchlists
Login
Unerledigt
Login

Google OAuth Authentication Bypass for Converted Bot Accounts

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 4 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mattermost ≫ Mattermost Server Version >= 9.11.0 < 9.11.13

Mattermost ≫ Mattermost Server Version >= 10.5.0 < 10.5.4

Mattermost ≫ Mattermost Server Version >= 10.6.0 < 10.6.3

Mattermost ≫ Mattermost Server Version >= 10.7.0 < 10.7.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.386

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
responsibledisclosure@mattermost.com	4.2	1.6	2.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-303 Incorrect Implementation of Authentication Algorithm

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

https://mattermost.com/security-updates

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-2571

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-2571

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-2571

EUVD