CVE-2025-3913
published 2025-05-29CVE-2025-3913: Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy…
low3.8CVSS 3.1
AVNACLPRHUINSUCLILAN
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 10.5.0-rc1+incompatible < 10.5.4+incompatible | 10.5.4+incompatible |
| github.com | mattermost_mattermost-server | >= 10.6.0-rc1+incompatible < 10.6.3+incompatible | 10.6.3+incompatible |
| github.com | mattermost_mattermost-server | >= 10.7.0-rc1+incompatible < 10.7.1+incompatible | 10.7.1+incompatible |
| github.com | mattermost_mattermost-server | >= 9.0.0-rc1+incompatible < 9.11.13+incompatible | 9.11.13+incompatible |
| github.com | mattermost_mattermost_server_v8 | >= 0 < 8.0.0-20250412152950-02c76784380a | 8.0.0-20250412152950-02c76784380a |
| github.com | mattermost_mattermost_server_v8 | >= 10.5.0-rc1 < 10.5.4 | 10.5.4 |
| github.com | mattermost_mattermost_server_v8 | >= 10.6.0-rc1 < 10.6.3 | 10.6.3 |
| github.com | mattermost_mattermost_server_v8 | >= 10.7.0-rc1 < 10.7.1 | 10.7.1 |
| github.com | mattermost_mattermost_server_v8 | >= 9.0.0-rc1 < 9.11.13 | 9.11.13 |
| mattermost | mattermost | — | — |
| mattermost | mattermost | 10.5.0 – 10.5.3 | — |
| mattermost | mattermost | 10.6.0 – 10.6.2 | — |
| mattermost | mattermost | 9.11.0 – 9.11.12 | — |
| mattermost | mattermost_server | >= 10.5.0 < 10.5.4 | 10.5.4 |
| mattermost | mattermost_server | >= 10.6.0 < 10.6.3 | 10.6.3 |
| mattermost | mattermost_server | >= 10.7.0 < 10.7.1 | 10.7.1 |
| mattermost | mattermost_server | >= 9.11.0 < 9.11.13 | 9.11.13 |