PT-2025-51854 · Mattermost · Mattermost

Daw10

Publicado

2025-12-17

Atualizado

2026-01-06

CVE-2025-13324

CVSS v3.1

3.7

Baixa

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.x through 10.11.5 Mattermost versions 11.0.x through 11.0.4 Mattermost versions 10.12.x through 10.12.2

Description The software does not invalidate invite tokens after they are used. This allows a malicious actor who has intercepted an invite token to manipulate channel memberships. Specifically, they can add or remove users from private channels by replaying the token. The attack involves the replay of invite tokens.

Recommendations Update Mattermost to a version later than 10.11.5. Update Mattermost to a version later than 11.0.4. Update Mattermost to a version later than 10.12.2.

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-863

Identificadores relacionados

CVE-2025-13324

GHSA-X3R8-2HMH-89F5

GO-2025-4256

SUSE-SU-2026:0037-1

Produtos afetados

Mattermost

PT-2025-51854 · Mattermost · Mattermost

CVE-2025-13324

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 88