CVE-2025-27933Incorrect Authorization in Mattermost Mattermost-server

CWE-863Incorrect Authorization5 documents4 sources
Severity
4.3MEDIUMNVD
CNA5.4
EPSS
0.1%
top 71.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedMar 21
Latest updateMar 25

Description

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.9+2
Gogithub.com/mattermost_mattermost-server9.11.0+incompatible9.11.9+incompatible+3
CVEListV5mattermost/mattermost10.4.010.4.2+2

🔴Vulnerability Details

4
OSV
Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server2025-03-25
OSV
Mattermost allows members with permission to convert public channels to private and convert private to public2025-03-21
CVEList
Unauthorized Private-to-Public Channel Conversion2025-03-21
GHSA
Mattermost allows members with permission to convert public channels to private and convert private to public2025-03-21
CVE-2025-27933 — Incorrect Authorization | cvebase