CVE-2025-1412

Summary

Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.11.0 <= 9.11.6affected
MattermostMattermost10.4.0 <= 10.4.1affected
MattermostMattermost10.5.0unaffected
MattermostMattermost9.11.7unaffected
MattermostMattermost10.4.2unaffected

Weaknesses

  • CWE-384: CWE-384: Session Fixation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References