CVE-2025-64641
published 2025-12-24CVE-2025-64641: Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly…
medium4.1CVSS 3.1
AVNACLPRLUIRSCCLINAN
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 10.11.0 < 10.11.8 | 10.11.8 |
| github.com | mattermost_mattermost-server | >= 10.11.0+incompatible < 10.11.8+incompatible | 10.11.8+incompatible |
| github.com | mattermost_mattermost-server | >= 10.12.0 < 10.12.4 | 10.12.4 |
| github.com | mattermost_mattermost-server | >= 10.12.0+incompatible < 10.12.4+incompatible | 10.12.4+incompatible |
| github.com | mattermost_mattermost-server | >= 11.0.0 < 11.0.6 | 11.0.6 |
| github.com | mattermost_mattermost-server | >= 11.0.1+incompatible < 11.0.6+incompatible | 11.0.6+incompatible |
| github.com | mattermost_mattermost-server | >= 11.1.0 < 11.1.1 | 11.1.1 |
| github.com | mattermost_mattermost-server | >= 11.1.0+incompatible < 11.1.1+incompatible | 11.1.1+incompatible |
| github.com | mattermost_mattermost_server_v8 | >= 0 < 8.0.0-20251121122154-b57c297c6d7 | 8.0.0-20251121122154-b57c297c6d7 |
| mattermost | mattermost | 10.11.0 – 10.11.7 | — |
| mattermost | mattermost | 10.12.0 – 10.12.3 | — |
| mattermost | mattermost | 11.0.0 – 11.0.5 | — |
| mattermost | mattermost | 11.1.0 – 11.1.0 | — |
| mattermost | mattermost_server | >= 10.11.0 < 10.11.8 | 10.11.8 |
| mattermost | mattermost_server | >= 10.12.0 < 10.12.4 | 10.12.4 |
| mattermost | mattermost_server | >= 11.0.0 < 11.0.6 | 11.0.6 |
| mattermost | mattermost_server | >= 11.1.0 < 11.1.1 | 11.1.1 |