CVE-2025-55073Missing Authentication for Critical Function in Mattermost Mattermost-server

CWE-306Missing Authentication for Critical Function5 documents4 sources
Severity
5.3MEDIUMNVD
CNA5.4
EPSS
0.0%
top 88.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedNov 14
Latest updateNov 18

Description

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server10.5.010.5.12+2
Gogithub.com/mattermost_mattermost-server10.11.010.11.4+5
Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20250929212932-a41db04d2746
CVEListV5mattermost/mattermost10.11.010.11.3+2

🔴Vulnerability Details

4
OSV
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server2025-11-18
GHSA
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL2025-11-14
CVEList
MS Teams plugin OAuth allows editing arbitrary posts2025-11-14
OSV
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL2025-11-14
CVE-2025-55073 — MEDIUM severity | cvebase