CVE-2025-24920 — Incorrect Authorization in Mattermost Mattermost-server

CWE-863 — Incorrect Authorization5 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 70.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedMar 21

Latest updateMar 25

Description

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.9+3

▶Gogithub.com/mattermost_mattermost-server9.11.0+incompatible — 9.11.9+incompatible+3

▶Gogithub.com/mattermost_mattermost_server_v810.4.0 — 10.4.3+3

▶CVEListV5mattermost/mattermost10.4.0 — 10.4.2+3

🔴Vulnerability Details

OSV

Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server↗2025-03-25

▶

GHSA

Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels↗2025-03-21

▶

OSV

Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels↗2025-03-21

▶

CVEList

Unauthorized Bookmark Creation and Modification in Archived Channels↗2025-03-21

▶