CVE-2025-1472 — Incorrect Authorization in Mattermost Mattermost-server

CWE-863 — Incorrect Authorization CWE-125 — Out-of-bounds Read6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 72.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedMar 19

Latest updateJun 18

Description

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.9

▶Gogithub.com/mattermost_mattermost-server9.11.0+incompatible — 9.11.9+incompatible+1

▶Gogithub.com/mattermost_mattermost_server_v89.11.0 — 9.11.9

▶CVEListV5mattermost/mattermost9.11.0 — 9.11.8

🔴Vulnerability Details

OSV

Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server↗2025-03-25

▶

CVEList

Unauthorized View Access to Site Statistics and Team Statistics↗2025-03-19

▶

OSV

Mattermost Fails to Properly Perform Viewer Role Authorization↗2025-03-19

▶

GHSA

Mattermost Fails to Properly Perform Viewer Role Authorization↗2025-03-19

▶

📋Vendor Advisories

Red Hat

kernel: RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem↗2025-06-18

▶