CVE-2025-1412
published 2025-02-24CVE-2025-1412: Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user…
high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 10.4.0-rc1+incompatible < 10.4.2+incompatible | 10.4.2+incompatible |
| github.com | mattermost_mattermost-server | >= 9.11.0-rc1+incompatible < 9.11.7+incompatible | 9.11.7+incompatible |
| github.com | mattermost_mattermost_server_v8 | >= 0 < 8.0.0-20241217145510-faa7e4f2ea0c | 8.0.0-20241217145510-faa7e4f2ea0c |
| github.com | mattermost_mattermost_server_v8 | >= 10.4.0-rc1 < 10.4.2 | 10.4.2 |
| github.com | mattermost_mattermost_server_v8 | >= 9.11.0-rc1 < 9.11.7 | 9.11.7 |
| mattermost | mattermost | 10.4.0 – 10.4.1 | — |
| mattermost | mattermost | 9.11.0 – 9.11.6 | — |
| mattermost | mattermost_server | >= 10.4.0 < 10.4.2 | 10.4.2 |
| mattermost | mattermost_server | >= 9.11.0 < 9.11.7 | 9.11.7 |