CVE-2025-13324
3.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mattermost | Mattermost | 10.11.0 <= 10.11.5 | affected |
| Mattermost | Mattermost | 11.0.0 <= 11.0.4 | affected |
| Mattermost | Mattermost | 10.12.0 <= 10.12.2 | affected |
| Mattermost | Mattermost | 11.1.0 | unaffected |
| Mattermost | Mattermost | 10.11.6 | unaffected |
| Mattermost | Mattermost | 11.0.5 | unaffected |
| Mattermost | Mattermost | 10.12.3 | unaffected |
Weaknesses
- CWE-863: CWE-863: Incorrect Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.