CVE-2025-12419
- EPSS 0.31%
- Veröffentlicht 27.11.2025 15:55:44
- Zuletzt bearbeitet 03.12.2025 15:17:16
Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to ...
CVE-2025-55074
- EPSS 0.15%
- Veröffentlicht 18.11.2025 15:23:29
- Zuletzt bearbeitet 25.11.2025 20:24:39
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects
CVE-2025-11794
- EPSS 0.25%
- Veröffentlicht 14.11.2025 10:45:39
- Zuletzt bearbeitet 19.11.2025 21:40:16
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint
CVE-2025-41436
- EPSS 0.15%
- Veröffentlicht 14.11.2025 08:15:45
- Zuletzt bearbeitet 17.11.2025 17:52:01
Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
CVE-2025-55070
- EPSS 0.27%
- Veröffentlicht 14.11.2025 08:15:45
- Zuletzt bearbeitet 17.11.2025 17:51:05
Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events
CVE-2025-55073
- EPSS 0.16%
- Veröffentlicht 14.11.2025 08:15:45
- Zuletzt bearbeitet 19.11.2025 21:44:28
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams pl...
CVE-2025-11776
- EPSS 0.17%
- Veröffentlicht 14.11.2025 08:15:43
- Zuletzt bearbeitet 17.11.2025 17:52:51
Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
CVE-2025-11777
- EPSS 0.16%
- Veröffentlicht 13.11.2025 17:32:03
- Zuletzt bearbeitet 17.11.2025 18:05:07
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams...
CVE-2025-58073
- EPSS 0.38%
- Veröffentlicht 16.10.2025 08:44:26
- Zuletzt bearbeitet 21.10.2025 17:51:42
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless ...
CVE-2025-41410
- EPSS 0.29%
- Veröffentlicht 16.10.2025 08:39:58
- Zuletzt bearbeitet 21.10.2025 18:00:54
Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import...