CVE-2025-59480

CWE-352Cross-Site Request Forgery (CSRF)3 documents3 sources
Severity
6.5MEDIUM
EPSS
0.0%
top 97.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mattermost Mattermost MobileMattermost Mattermost
Timeline
PublishedNov 13

Description

Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:NExploitability: 1.6 | Impact: 4.0

Affected Packages2 packages

CVEListV5mattermost/mattermost2.32.0

🔴Vulnerability Details

2
CVEList
Inadequate validation of SSO redirect credentials permits credential theft2025-11-13
GHSA
GHSA-h2fg-6x82-5f24: Mattermost Mobile Apps versions <=22025-11-13
CVE-2025-59480 (MEDIUM CVSS 6.5) | Mattermost Mobile Apps versions <=2 | cvebase.io