CVE-2025-4128
- EPSS 0.19%
- Veröffentlicht 11.06.2025 10:25:04
- Zuletzt bearbeitet 08.07.2025 19:42:06
Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api...
CVE-2025-4573
- EPSS 0.24%
- Veröffentlicht 11.06.2025 10:22:24
- Zuletzt bearbeitet 08.07.2025 17:59:16
Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to e...
CVE-2025-3230
- EPSS 0.19%
- Veröffentlicht 30.05.2025 14:22:09
- Zuletzt bearbeitet 15.10.2025 14:16:49
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access tok...
CVE-2025-3611
- EPSS 0.19%
- Veröffentlicht 30.05.2025 14:22:09
- Zuletzt bearbeitet 08.07.2025 17:11:34
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not...
CVE-2025-1792
- EPSS 0.21%
- Veröffentlicht 30.05.2025 14:22:08
- Zuletzt bearbeitet 15.10.2025 14:15:03
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public chann...
CVE-2025-2571
- EPSS 0.18%
- Veröffentlicht 30.05.2025 14:22:08
- Zuletzt bearbeitet 15.10.2025 14:15:37
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the G...
CVE-2025-3913
- EPSS 0.27%
- Veröffentlicht 29.05.2025 15:10:36
- Zuletzt bearbeitet 03.10.2025 14:02:57
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and mod...
CVE-2025-2570
- EPSS 0.28%
- Veröffentlicht 15.05.2025 15:27:50
- Zuletzt bearbeitet 06.10.2025 15:22:43
Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true ...
CVE-2025-2527
- EPSS 0.26%
- Veröffentlicht 15.05.2025 15:27:49
- Zuletzt bearbeitet 22.08.2025 20:21:35
Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request.
CVE-2025-3446
- EPSS 0.2%
- Veröffentlicht 15.05.2025 10:43:46
- Zuletzt bearbeitet 29.09.2025 21:05:33
Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that...