CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-4128 – Mattermost Guest User Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2025-4128
11 Jun 2025 — Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}. Las versiones de Mattermost 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 no restringen adecuadamente el acceso de la API a la información del equipo, lo que permite que los usuarios invitados omitan los permisos y vean información sobre equipos... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-4573 – LDAP Injection in Mattermost Enterprise Edition When Using Active Directory
https://notcve.org/view.php?id=CVE-2025-4573
11 Jun 2025 — Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute. Las versiones de Mattermost 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 no l... • https://mattermost.com/security-updates • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •
CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3611 – Improper Access Control in Mattermost allows System Managers to view team details despite role restrictions
https://notcve.org/view.php?id=CVE-2025-3611
30 May 2025 — Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console. These are all security issues fixed in the govulncheck-vulndb-0.0.20250612T141001-1.1 package on the GA media of openSUSE ... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-3230 – Bypass of System Admin User Deactivation Controls for Personal Access Tokens in Mattermost Server
https://notcve.org/view.php?id=CVE-2025-3230
30 May 2025 — Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens. These are all security issues fixed in the govulncheck-vulndb-0.0.20250612T141001-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 4.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2571 – Google OAuth Authentication Bypass for Converted Bot Accounts
https://notcve.org/view.php?id=CVE-2025-2571
30 May 2025 — Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow. These are all security issues fixed in the govulncheck-vulndb-0.0.20250612T141001-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1792 – Improper Access Control in Mattermost Channel Member API
https://notcve.org/view.php?id=CVE-2025-1792
30 May 2025 — Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint. These are all security issues fixed in the govulncheck-vulndb-0.0.20250612T141001-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-3913 – Team Privacy Settings Authorization Bypass in Mattermost Server
https://notcve.org/view.php?id=CVE-2025-3913
29 May 2025 — Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. These are all security issues fixed in the govulncheck-vulndb-0.0.20250612T141001-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 3.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-2570 – System Admin Cannot Access Environment settings in System Console While System Manager Can
https://notcve.org/view.php?id=CVE-2025-2570
15 May 2025 — Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console. These are all security issues fixed in the govulncheck-vulndb-0.0.20250523T151856-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-2527 – Improper access control to group information
https://notcve.org/view.php?id=CVE-2025-2527
15 May 2025 — Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request. These are all security issues fixed in the govulncheck-vulndb-0.0.20250523T151856-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-3446 – Members Without Guest Invite Permissions Can Add Guests to Teams
https://notcve.org/view.php?id=CVE-2025-3446
15 May 2025 — Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team. These are all security issues fixed in the govulncheck-vulndb-0.0.20250523T151856-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •