Shodan
Vulnerabilities
Vulnerable Software
Mattermost:  >> Mattermost Server  >> 9.11.8  Security Vulnerabilities
CVE-2025-27715
Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.
CVSS Score
3.3
EPSS Score
0.001
Published
2025-03-21
CVE-2025-27933
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public
CVSS Score
5.4
EPSS Score
0.001
Published
2025-03-21
CVE-2025-30179
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-03-21
CVE-2025-24920
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels
CVSS Score
4.3
EPSS Score
0.001
Published
2025-03-21
CVE-2025-25068
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-03-21
CVE-2025-25274
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
CVSS Score
4.3
EPSS Score
0.002
Published
2025-03-21
CVE-2025-1472
Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-03-19


Products
Pricing
Contact Us

Shodan ® - All rights reserved