PT-2025-46949 · Mattermost · Mattermost
Published
2025-11-14
·
Updated
2025-11-18
·
CVE-2025-11794
CVSS v2.0
6.8
Medium
| AV:N/AC:L/Au:S/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 10.5.x through 10.5.11
Mattermost versions 10.11.x through 10.11.3
Mattermost versions 10.12.x through 10.12.0
Description
The software does not properly sanitize user data, potentially allowing system administrators to access password hashes and multi-factor authentication secrets. This access is possible through the 'POST /api/v4/users/{user id}/email/verify/member' API endpoint. The vulnerable parameter is
user id.Recommendations
Update Mattermost versions to a version later than 10.5.11.
Update Mattermost versions to a version later than 10.11.3.
Update Mattermost versions to a version later than 10.12.0.
Exploit
Fix
LPE
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost