PT-2025-30028 · Mattermost · Mattermost
Published
2025-07-18
·
Updated
2025-08-04
·
CVE-2025-6227
CVSS v3.1
3.1
Low
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 10.5.x through 10.5.7
Mattermost versions 9.11.x through 9.11.16
Description
Mattermost fails to negotiate a new token when accepting an invite. This allows a user who intercepts both the invite and the password to send synchronization payloads to the server that originally created the invite via the REST API.
Recommendations
Update Mattermost to a version later than 10.5.7.
Update Mattermost to a version later than 9.11.16.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost