CVE-2025-14273
- EPSS 0.23%
- Veröffentlicht 22.12.2025 11:24:55
- Zuletzt bearbeitet 29.12.2025 18:47:45
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin,...
CVE-2025-13324
- EPSS 0.17%
- Veröffentlicht 17.12.2025 18:14:13
- Zuletzt bearbeitet 29.12.2025 18:46:13
Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an a...
CVE-2025-12689
- EPSS 0.24%
- Veröffentlicht 17.12.2025 18:14:10
- Zuletzt bearbeitet 29.12.2025 18:44:33
Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.
CVE-2025-62690
- EPSS 0.13%
- Veröffentlicht 17.12.2025 12:19:17
- Zuletzt bearbeitet 29.12.2025 18:55:05
Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab.
- EPSS 0.15%
- Veröffentlicht 17.12.2025 12:11:25
- Zuletzt bearbeitet 29.12.2025 18:50:47
Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary Git...
CVE-2025-62190
- EPSS 0.1%
- Veröffentlicht 17.12.2025 12:07:37
- Zuletzt bearbeitet 29.12.2025 18:51:51
Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject message...
CVE-2025-13870
- EPSS 0.19%
- Veröffentlicht 02.12.2025 09:28:44
- Zuletzt bearbeitet 03.12.2025 20:57:20
Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe t...
CVE-2025-12756
- EPSS 0.16%
- Veröffentlicht 01.12.2025 19:51:46
- Zuletzt bearbeitet 05.12.2025 15:26:22
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by ...
CVE-2025-12421
- EPSS 0.31%
- Veröffentlicht 27.11.2025 17:47:04
- Zuletzt bearbeitet 03.12.2025 15:10:42
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform...
CVE-2025-12559
- EPSS 0.19%
- Veröffentlicht 27.11.2025 16:36:30
- Zuletzt bearbeitet 03.12.2025 15:16:02
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api...