4.3
CVE-2025-47870
- EPSS 0.06%
- Veröffentlicht 21.08.2025 08:15:30
- Zuletzt bearbeitet 22.08.2025 18:09:17
- Quelle responsibledisclosure@mattermo
- CVE-Watchlists
- Unerledigt
Team invite ID leaked to team admin with no member invite privileges
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerMattermost
≫
Produkt
Mattermost
Default Statusunaffected
Version <=
10.8.3
Version
10.8.0
Status
affected
Version <=
10.5.8
Version
10.5.0
Status
affected
Version <=
9.11.17
Version
9.11.0
Status
affected
Version <=
10.9.2
Version
10.9.0
Status
affected
Version
10.10.0
Status
unaffected
Version
10.8.4
Status
unaffected
Version
10.5.9
Status
unaffected
Version
9.11.18
Status
unaffected
Version
10.9.3
Status
unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.06% | 0.18 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| responsibledisclosure@mattermost.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.