PT-2025-23308 · Mattermost · Mattermost

Eahmed

Publicado

2025-05-30

Atualizado

2025-07-03

CVE-2025-3230

CVSS v3.1

5.4

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.7.x through 10.7.0 Mattermost versions 10.6.x through 10.6.2 Mattermost versions 10.5.x through 10.5.3 Mattermost versions 9.11.x through 9.11.12

Description The issue is related to the failure of the system to properly invalidate personal access tokens when a user is deactivated. This allows deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.

Recommendations For versions 10.7.x through 10.7.0, update to a version that properly invalidates personal access tokens upon user deactivation. For versions 10.6.x through 10.6.2, update to a version that properly invalidates personal access tokens upon user deactivation. For versions 10.5.x through 10.5.3, update to a version that properly invalidates personal access tokens upon user deactivation. For versions 9.11.x through 9.11.12, update to a version that properly invalidates personal access tokens upon user deactivation.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-303

Identificadores relacionados

CVE-2025-3230

GHSA-MC2F-JGJ6-6CP3

GO-2025-3731

OPENSUSE-SU-2025:15225-1

Produtos afetados

Mattermost

PT-2025-23308 · Mattermost · Mattermost

CVE-2025-3230

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 41