CVE-2025-1412Session Fixation in Mattermost Mattermost-server

CWE-384Session Fixation5 documents4 sources
Severity
8.8HIGHNVD
CNA3.1
EPSS
0.2%
top 62.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedFeb 24
Latest updateMar 3

Description

Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.7+1
Gogithub.com/mattermost_mattermost-server9.11.0-rc1+incompatible9.11.7+incompatible+1
Gogithub.com/mattermost_mattermost_server_v810.4.0-rc110.4.2+2
CVEListV5mattermost/mattermost9.11.09.11.6+1

🔴Vulnerability Details

4
OSV
Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server2025-03-03
OSV
Mattermost fails to invalidate all active sessions when converting a user to a bot2025-02-24
GHSA
Mattermost fails to invalidate all active sessions when converting a user to a bot2025-02-24
CVEList
Session Persistence After User-to-Bot Conversion2025-02-24
CVE-2025-1412 — Session Fixation | cvebase