CVE-2025-1472 – github.com/mattermost/mattermost-server

Package

Manager: go
Name: github.com/mattermost/mattermost-server
Vulnerable Version: >=9.11.0 <9.11.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: 0.00049 pctl0.14885

Details

Mattermost Fails to Properly Perform Viewer Role Authorization Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

Metadata

Created: 2025-03-19T15:31:45Z
Modified: 2025-03-19T21:52:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-fqrq-xmxj-v47x/GHSA-fqrq-xmxj-v47x.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-fqrq-xmxj-v47x
Finding: F006
Auto approve: 1