EUVD-2025-200218
GHSA-58w6-w55x-6wq8
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Description
Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to
Analysis
Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to
Technical Context
An authentication bypass vulnerability allows attackers to circumvent login mechanisms and gain unauthorized access without valid credentials. This vulnerability is classified as Missing Authentication for Critical Function (CWE-306).
Affected Products
Affected products: Mattermost Mattermost Server
Remediation
Implement robust authentication mechanisms. Use multi-factor authentication. Review authentication logic for bypass conditions. Remove default credentials.
Priority Score
Vendor Status
Debian
Bug #823556| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today