CVE-2025-24490SQL Injection in Server

CWE-89SQL Injection3 documents3 sources
Severity
6.5MEDIUMNVD
CNA9.6
EPSS
0.5%
top 35.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mattermost ServerMattermost
Timeline
PublishedFeb 24

Description

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reordering specially crafted boards categories.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDmattermost/mattermost_server9.11.09.11.8+3
CVEListV5mattermost/mattermost10.4.010.4.1+3

🔴Vulnerability Details

2
CVEList
SQL Injection in Mattermost Boards via board category ID reordering2025-02-24
GHSA
GHSA-p4jg-qmjv-9x26: Mattermost versions 102025-02-24
CVE-2025-24490 — SQL Injection in Mattermost Server | cvebase