CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-25068 – Bypassing MFA Enforcement on Plugin Endpoints
https://notcve.org/view.php?id=CVE-2025-25068
21 Mar 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes. • https://mattermost.com/security-updates • CWE-306: Missing Authentication for Critical Function •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-24920 – Unauthorized Bookmark Creation and Modification in Archived Channels
https://notcve.org/view.php?id=CVE-2025-24920
21 Mar 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-30179 – MFA Enforcement Bypass in Search APIs
https://notcve.org/view.php?id=CVE-2025-30179
21 Mar 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-25274 – Unauthorized Command Execution in Archived Channels
https://notcve.org/view.php?id=CVE-2025-25274
21 Mar 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels. Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-27933 – Unauthorized Private-to-Public Channel Conversion
https://notcve.org/view.php?id=CVE-2025-27933
21 Mar 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27715 – Auto-Enrollment of Team Admins into Private Channels without explicit consent
https://notcve.org/view.php?id=CVE-2025-27715
21 Mar 2025 — Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1472 – Unauthorized View Access to Site Statistics and Team Statistics
https://notcve.org/view.php?id=CVE-2025-1472
19 Mar 2025 — Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 9.9EPSS: 0%CPEs: 4EXPL: 0CVE-2025-20051 – Arbitrary file read via block duplication in Mattermost Boards
https://notcve.org/view.php?id=CVE-2025-20051
24 Feb 2025 — Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards. • https://mattermost.com/security-updates • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-24490 – SQL Injection in Mattermost Boards via board category ID reordering
https://notcve.org/view.php?id=CVE-2025-24490
24 Feb 2025 — Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reordering specially crafted boards categories. Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the datab... • https://mattermost.com/security-updates • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.9EPSS: 3%CPEs: 4EXPL: 1CVE-2025-25279 – Arbitrary file read in Mattermost Boards via import & export board archive
https://notcve.org/view.php?id=CVE-2025-25279
24 Feb 2025 — Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards. • https://github.com/numanturle/CVE-2025-25279 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •