PT-2025-16565 · Mattermost · Mattermost
0X7Oda7123
·
Published
2025-04-16
·
Updated
2025-04-23
·
CVE-2025-27538
CVSS v3.1
2.7
Low
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 9.11.x through 9.11.9
Mattermost versions 10.5.x through 10.5.1
Description
The issue arises from the failure to enforce MFA checks in the PUT /api/v4/users/user-id/mfa endpoint when the requesting user differs from the target user ID. This allows users with the
edit other users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.Recommendations
For versions 9.11.x through 9.11.9, update to a version that enforces MFA checks for the PUT /api/v4/users/user-id/mfa endpoint.
For versions 10.5.x through 10.5.1, update to a version that enforces MFA checks for the PUT /api/v4/users/user-id/mfa endpoint.
As a temporary workaround, consider restricting the
edit other users permission to minimize the risk of exploitation.Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost