CVE-2025-1472

Summary

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.11.0 <= 9.11.8affected
MattermostMattermost10.5.0unaffected
MattermostMattermost9.11.9unaffected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References