Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-47700 (GCVE-0-2025-47700)
Vulnerability from cvelistv5 – Published: 2025-08-21 07:28 – Updated: 2025-08-21 14:53
VLAI
EPSS
Title
AI plugin APIs can be triggered using post actions
Summary
Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Unaffected:
10.10.0
Unaffected: 10.5.9 Affected: 10.5.0 , ≤ 10.5.8 (semver) |
Credits
Juho Forsén
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-21T14:53:09.816331Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T14:53:18.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"status": "unaffected",
"version": "10.10.0"
},
{
"status": "unaffected",
"version": "10.5.9"
},
{
"lessThanOrEqual": "10.5.8",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Server versions 10.5.x \u003c= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T07:28:37.220Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost Plugins to versions 10.10.0, 10.5.9 or higher."
}
],
"source": {
"advisory": "MMSA-2025-00454",
"defect": [
"https://mattermost.atlassian.net/browse/MM-62939"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "AI plugin APIs can be triggered using post actions"
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-47700",
"datePublished": "2025-08-21T07:28:37.220Z",
"dateReserved": "2025-07-22T07:53:00.887Z",
"dateUpdated": "2025-08-21T14:53:18.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-47700",
"date": "2026-05-27",
"epss": "0.00049",
"percentile": "0.15544"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-47700\",\"sourceIdentifier\":\"responsibledisclosure@mattermost.com\",\"published\":\"2025-08-21T08:15:29.360\",\"lastModified\":\"2025-10-29T18:40:16.453\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mattermost Server versions 10.5.x \u003c= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions\"},{\"lang\":\"es\",\"value\":\"Las versiones 10.5.x \u0026lt;= 10.5.9 de Mattermost Server que utilizan el complemento Agentes no rechazan los cuerpos de solicitud vac\u00edos, lo que permite a los usuarios enga\u00f1arlos para que hagan clic en enlaces maliciosos mediante acciones posteriores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.5.0\",\"versionEndExcluding\":\"10.5.9\",\"matchCriteriaId\":\"B95DCAE5-07C2-46B1-B03E-ED3FB9B2C568\"}]}]}],\"references\":[{\"url\":\"https://mattermost.com/security-updates\",\"source\":\"responsibledisclosure@mattermost.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-47700\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-21T14:53:09.816331Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-21T14:53:14.420Z\"}}], \"cna\": {\"title\": \"AI plugin APIs can be triggered using post actions\", \"source\": {\"defect\": [\"https://mattermost.atlassian.net/browse/MM-62939\"], \"advisory\": \"MMSA-2025-00454\", \"discovery\": \"{\\\"self\\\"=\u003e\\\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\\\", \\\"value\\\"=\u003e\\\"Internal\\\", \\\"id\\\"=\u003e\\\"10557\\\"}\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Juho Fors\\u00e9n\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Mattermost\", \"product\": \"Mattermost\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"10.10.0\"}, {\"status\": \"unaffected\", \"version\": \"10.5.9\"}, {\"status\": \"affected\", \"version\": \"10.5.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.5.8\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update Mattermost Plugins to versions 10.10.0, 10.5.9 or higher.\"}], \"references\": [{\"url\": \"https://mattermost.com/security-updates\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mattermost Server versions 10.5.x \u003c= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee\", \"shortName\": \"Mattermost\", \"dateUpdated\": \"2025-08-21T07:28:37.220Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-47700\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-21T14:53:18.203Z\", \"dateReserved\": \"2025-07-22T07:53:00.887Z\", \"assignerOrgId\": \"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee\", \"datePublished\": \"2025-08-21T07:28:37.220Z\", \"assignerShortName\": \"Mattermost\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2025-47700
Vulnerability from fkie_nvd - Published: 2025-08-21 08:15 - Updated: 2025-10-29 18:40
Severity
Summary
Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions
References
| URL | Tags | ||
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B95DCAE5-07C2-46B1-B03E-ED3FB9B2C568",
"versionEndExcluding": "10.5.9",
"versionStartIncluding": "10.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Server versions 10.5.x \u003c= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions"
},
{
"lang": "es",
"value": "Las versiones 10.5.x \u0026lt;= 10.5.9 de Mattermost Server que utilizan el complemento Agentes no rechazan los cuerpos de solicitud vac\u00edos, lo que permite a los usuarios enga\u00f1arlos para que hagan clic en enlaces maliciosos mediante acciones posteriores."
}
],
"id": "CVE-2025-47700",
"lastModified": "2025-10-29T18:40:16.453",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
}
]
},
"published": "2025-08-21T08:15:29.360",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
}
]
}
GHSA-VQWH-5JHH-VC9P
Vulnerability from github – Published: 2025-08-21 09:30 – Updated: 2025-08-29 20:52
VLAI
Summary
Mattermost Server SSRF Vulnerability via the Agents Plugin
Details
Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions
Severity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.5.9"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.5.0"
},
{
"fixed": "10.5.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20250814075248-83a37a861d3c"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47700"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-21T16:02:16Z",
"nvd_published_at": "2025-08-21T08:15:29Z",
"severity": "LOW"
},
"details": "Mattermost Server versions 10.5.x \u003c= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions",
"id": "GHSA-vqwh-5jhh-vc9p",
"modified": "2025-08-29T20:52:24Z",
"published": "2025-08-21T09:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47700"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3906"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost Server SSRF Vulnerability via the Agents Plugin"
}
WID-SEC-W-2025-1625
Vulnerability from csaf_certbund - Published: 2025-07-22 22:00 - Updated: 2025-08-21 22:00Summary
Mattermost Server und Plugins: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Mattermost ist ein webbasierter Instant-Messaging-Dienst.
Angriff: Ein authentifizierter Angreifer mit bestimmten Berechtigungen kann diese Schwachstellen ausnutzen, um Sicherheitsmechanismen zu umgehen, beliebige Dateien in das Dateisystem einzubringen und potenziell beliebigen Code auszuführen.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
- Windows
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mattermost Mattermost Plugins <10.5.9
Mattermost / Mattermost
|
Plugins <10.5.9 | ||
|
Mattermost Mattermost Server <10.8.4
Mattermost / Mattermost
|
Server <10.8.4 | ||
|
Mattermost Mattermost Server <10.11.0
Mattermost / Mattermost
|
Server <10.11.0 | ||
|
Mattermost Mattermost Server <9.11.18
Mattermost / Mattermost
|
Server <9.11.18 | ||
|
Mattermost Mattermost Server <10.5.9
Mattermost / Mattermost
|
Server <10.5.9 | ||
|
Mattermost Mattermost Server <10.10.1
Mattermost / Mattermost
|
Server <10.10.1 | ||
|
Mattermost Mattermost Server <10.9.3
Mattermost / Mattermost
|
Server <10.9.3 | ||
|
Mattermost Mattermost Server <10.10.0
Mattermost / Mattermost
|
Server <10.10.0 | ||
|
Mattermost Mattermost Server <10.9.4
Mattermost / Mattermost
|
Server <10.9.4 | ||
|
Mattermost Mattermost Server <10.9.2
Mattermost / Mattermost
|
Server <10.9.2 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mattermost Mattermost Plugins <10.5.9
Mattermost / Mattermost
|
Plugins <10.5.9 | ||
|
Mattermost Mattermost Server <10.8.4
Mattermost / Mattermost
|
Server <10.8.4 | ||
|
Mattermost Mattermost Server <10.11.0
Mattermost / Mattermost
|
Server <10.11.0 | ||
|
Mattermost Mattermost Server <9.11.18
Mattermost / Mattermost
|
Server <9.11.18 | ||
|
Mattermost Mattermost Server <10.5.9
Mattermost / Mattermost
|
Server <10.5.9 | ||
|
Mattermost Mattermost Server <10.10.1
Mattermost / Mattermost
|
Server <10.10.1 | ||
|
Mattermost Mattermost Server <10.9.3
Mattermost / Mattermost
|
Server <10.9.3 | ||
|
Mattermost Mattermost Server <10.10.0
Mattermost / Mattermost
|
Server <10.10.0 | ||
|
Mattermost Mattermost Server <10.9.4
Mattermost / Mattermost
|
Server <10.9.4 | ||
|
Mattermost Mattermost Server <10.9.2
Mattermost / Mattermost
|
Server <10.9.2 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mattermost Mattermost Plugins <10.5.9
Mattermost / Mattermost
|
Plugins <10.5.9 | ||
|
Mattermost Mattermost Server <10.8.4
Mattermost / Mattermost
|
Server <10.8.4 | ||
|
Mattermost Mattermost Server <10.11.0
Mattermost / Mattermost
|
Server <10.11.0 | ||
|
Mattermost Mattermost Server <9.11.18
Mattermost / Mattermost
|
Server <9.11.18 | ||
|
Mattermost Mattermost Server <10.5.9
Mattermost / Mattermost
|
Server <10.5.9 | ||
|
Mattermost Mattermost Server <10.10.1
Mattermost / Mattermost
|
Server <10.10.1 | ||
|
Mattermost Mattermost Server <10.9.3
Mattermost / Mattermost
|
Server <10.9.3 | ||
|
Mattermost Mattermost Server <10.10.0
Mattermost / Mattermost
|
Server <10.10.0 | ||
|
Mattermost Mattermost Server <10.9.4
Mattermost / Mattermost
|
Server <10.9.4 | ||
|
Mattermost Mattermost Server <10.9.2
Mattermost / Mattermost
|
Server <10.9.2 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mattermost Mattermost Plugins <10.5.9
Mattermost / Mattermost
|
Plugins <10.5.9 | ||
|
Mattermost Mattermost Server <10.8.4
Mattermost / Mattermost
|
Server <10.8.4 | ||
|
Mattermost Mattermost Server <10.11.0
Mattermost / Mattermost
|
Server <10.11.0 | ||
|
Mattermost Mattermost Server <9.11.18
Mattermost / Mattermost
|
Server <9.11.18 | ||
|
Mattermost Mattermost Server <10.5.9
Mattermost / Mattermost
|
Server <10.5.9 | ||
|
Mattermost Mattermost Server <10.10.1
Mattermost / Mattermost
|
Server <10.10.1 | ||
|
Mattermost Mattermost Server <10.9.3
Mattermost / Mattermost
|
Server <10.9.3 | ||
|
Mattermost Mattermost Server <10.10.0
Mattermost / Mattermost
|
Server <10.10.0 | ||
|
Mattermost Mattermost Server <10.9.4
Mattermost / Mattermost
|
Server <10.9.4 | ||
|
Mattermost Mattermost Server <10.9.2
Mattermost / Mattermost
|
Server <10.9.2 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mattermost Mattermost Plugins <10.5.9
Mattermost / Mattermost
|
Plugins <10.5.9 | ||
|
Mattermost Mattermost Server <10.8.4
Mattermost / Mattermost
|
Server <10.8.4 | ||
|
Mattermost Mattermost Server <10.11.0
Mattermost / Mattermost
|
Server <10.11.0 | ||
|
Mattermost Mattermost Server <9.11.18
Mattermost / Mattermost
|
Server <9.11.18 | ||
|
Mattermost Mattermost Server <10.5.9
Mattermost / Mattermost
|
Server <10.5.9 | ||
|
Mattermost Mattermost Server <10.10.1
Mattermost / Mattermost
|
Server <10.10.1 | ||
|
Mattermost Mattermost Server <10.9.3
Mattermost / Mattermost
|
Server <10.9.3 | ||
|
Mattermost Mattermost Server <10.10.0
Mattermost / Mattermost
|
Server <10.10.0 | ||
|
Mattermost Mattermost Server <10.9.4
Mattermost / Mattermost
|
Server <10.9.4 | ||
|
Mattermost Mattermost Server <10.9.2
Mattermost / Mattermost
|
Server <10.9.2 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mattermost Mattermost Plugins <10.5.9
Mattermost / Mattermost
|
Plugins <10.5.9 | ||
|
Mattermost Mattermost Server <10.8.4
Mattermost / Mattermost
|
Server <10.8.4 | ||
|
Mattermost Mattermost Server <10.11.0
Mattermost / Mattermost
|
Server <10.11.0 | ||
|
Mattermost Mattermost Server <9.11.18
Mattermost / Mattermost
|
Server <9.11.18 | ||
|
Mattermost Mattermost Server <10.5.9
Mattermost / Mattermost
|
Server <10.5.9 | ||
|
Mattermost Mattermost Server <10.10.1
Mattermost / Mattermost
|
Server <10.10.1 | ||
|
Mattermost Mattermost Server <10.9.3
Mattermost / Mattermost
|
Server <10.9.3 | ||
|
Mattermost Mattermost Server <10.10.0
Mattermost / Mattermost
|
Server <10.10.0 | ||
|
Mattermost Mattermost Server <10.9.4
Mattermost / Mattermost
|
Server <10.9.4 | ||
|
Mattermost Mattermost Server <10.9.2
Mattermost / Mattermost
|
Server <10.9.2 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mattermost Mattermost Plugins <10.5.9
Mattermost / Mattermost
|
Plugins <10.5.9 | ||
|
Mattermost Mattermost Server <10.8.4
Mattermost / Mattermost
|
Server <10.8.4 | ||
|
Mattermost Mattermost Server <10.11.0
Mattermost / Mattermost
|
Server <10.11.0 | ||
|
Mattermost Mattermost Server <9.11.18
Mattermost / Mattermost
|
Server <9.11.18 | ||
|
Mattermost Mattermost Server <10.5.9
Mattermost / Mattermost
|
Server <10.5.9 | ||
|
Mattermost Mattermost Server <10.10.1
Mattermost / Mattermost
|
Server <10.10.1 | ||
|
Mattermost Mattermost Server <10.9.3
Mattermost / Mattermost
|
Server <10.9.3 | ||
|
Mattermost Mattermost Server <10.10.0
Mattermost / Mattermost
|
Server <10.10.0 | ||
|
Mattermost Mattermost Server <10.9.4
Mattermost / Mattermost
|
Server <10.9.4 | ||
|
Mattermost Mattermost Server <10.9.2
Mattermost / Mattermost
|
Server <10.9.2 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mattermost Mattermost Plugins <10.5.9
Mattermost / Mattermost
|
Plugins <10.5.9 | ||
|
Mattermost Mattermost Server <10.8.4
Mattermost / Mattermost
|
Server <10.8.4 | ||
|
Mattermost Mattermost Server <10.11.0
Mattermost / Mattermost
|
Server <10.11.0 | ||
|
Mattermost Mattermost Server <9.11.18
Mattermost / Mattermost
|
Server <9.11.18 | ||
|
Mattermost Mattermost Server <10.5.9
Mattermost / Mattermost
|
Server <10.5.9 | ||
|
Mattermost Mattermost Server <10.10.1
Mattermost / Mattermost
|
Server <10.10.1 | ||
|
Mattermost Mattermost Server <10.9.3
Mattermost / Mattermost
|
Server <10.9.3 | ||
|
Mattermost Mattermost Server <10.10.0
Mattermost / Mattermost
|
Server <10.10.0 | ||
|
Mattermost Mattermost Server <10.9.4
Mattermost / Mattermost
|
Server <10.9.4 | ||
|
Mattermost Mattermost Server <10.9.2
Mattermost / Mattermost
|
Server <10.9.2 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mattermost Mattermost Plugins <10.5.9
Mattermost / Mattermost
|
Plugins <10.5.9 | ||
|
Mattermost Mattermost Server <10.8.4
Mattermost / Mattermost
|
Server <10.8.4 | ||
|
Mattermost Mattermost Server <10.11.0
Mattermost / Mattermost
|
Server <10.11.0 | ||
|
Mattermost Mattermost Server <9.11.18
Mattermost / Mattermost
|
Server <9.11.18 | ||
|
Mattermost Mattermost Server <10.5.9
Mattermost / Mattermost
|
Server <10.5.9 | ||
|
Mattermost Mattermost Server <10.10.1
Mattermost / Mattermost
|
Server <10.10.1 | ||
|
Mattermost Mattermost Server <10.9.3
Mattermost / Mattermost
|
Server <10.9.3 | ||
|
Mattermost Mattermost Server <10.10.0
Mattermost / Mattermost
|
Server <10.10.0 | ||
|
Mattermost Mattermost Server <10.9.4
Mattermost / Mattermost
|
Server <10.9.4 | ||
|
Mattermost Mattermost Server <10.9.2
Mattermost / Mattermost
|
Server <10.9.2 |
References
4 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Mattermost ist ein webbasierter Instant-Messaging-Dienst.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein authentifizierter Angreifer mit bestimmten Berechtigungen kann diese Schwachstellen ausnutzen, um Sicherheitsmechanismen zu umgehen, beliebige Dateien in das Dateisystem einzubringen und potenziell beliebigen Code auszuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1625 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1625.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1625 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1625"
},
{
"category": "external",
"summary": "Mattermost Server Security Updates vom 2025-07-22",
"url": "https://mattermost.com/security-updates/#server"
},
{
"category": "external",
"summary": "Mattermost Plugins Security Updates vom 2025-07-22",
"url": "https://mattermost.com/security-updates/#plugins"
}
],
"source_lang": "en-US",
"title": "Mattermost Server und Plugins: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-08-21T22:00:00.000+00:00",
"generator": {
"date": "2025-08-22T07:45:47.751+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-1625",
"initial_release_date": "2025-07-22T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-07-22T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-08-20T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Informationen und CVE von Mattermost aufgenommen"
},
{
"date": "2025-08-21T22:00:00.000+00:00",
"number": "3",
"summary": "CVE- und EUVD-Referenzen erg\u00e4nzt"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Plugins \u003c10.5.9",
"product": {
"name": "Mattermost Mattermost Plugins \u003c10.5.9",
"product_id": "T045611"
}
},
{
"category": "product_version",
"name": "Plugins 10.5.9",
"product": {
"name": "Mattermost Mattermost Plugins 10.5.9",
"product_id": "T045611-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mattermost:mattermost_server:plugins__10.5.9"
}
}
},
{
"category": "product_version_range",
"name": "Server \u003c10.11.0",
"product": {
"name": "Mattermost Mattermost Server \u003c10.11.0",
"product_id": "T045612"
}
},
{
"category": "product_version",
"name": "Server 10.11.0",
"product": {
"name": "Mattermost Mattermost Server 10.11.0",
"product_id": "T045612-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mattermost:mattermost_server:server__10.11.0"
}
}
},
{
"category": "product_version_range",
"name": "Server \u003c10.8.4",
"product": {
"name": "Mattermost Mattermost Server \u003c10.8.4",
"product_id": "T045613"
}
},
{
"category": "product_version",
"name": "Server 10.8.4",
"product": {
"name": "Mattermost Mattermost Server 10.8.4",
"product_id": "T045613-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mattermost:mattermost_server:server__10.8.4"
}
}
},
{
"category": "product_version_range",
"name": "Server \u003c10.5.9",
"product": {
"name": "Mattermost Mattermost Server \u003c10.5.9",
"product_id": "T045614"
}
},
{
"category": "product_version",
"name": "Server 10.5.9",
"product": {
"name": "Mattermost Mattermost Server 10.5.9",
"product_id": "T045614-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mattermost:mattermost_server:server__10.5.9"
}
}
},
{
"category": "product_version_range",
"name": "Server \u003c9.11.18",
"product": {
"name": "Mattermost Mattermost Server \u003c9.11.18",
"product_id": "T045615"
}
},
{
"category": "product_version",
"name": "Server 9.11.18",
"product": {
"name": "Mattermost Mattermost Server 9.11.18",
"product_id": "T045615-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mattermost:mattermost_server:server__9.11.18"
}
}
},
{
"category": "product_version_range",
"name": "Server \u003c10.9.3",
"product": {
"name": "Mattermost Mattermost Server \u003c10.9.3",
"product_id": "T045616"
}
},
{
"category": "product_version",
"name": "Server 10.9.3",
"product": {
"name": "Mattermost Mattermost Server 10.9.3",
"product_id": "T045616-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mattermost:mattermost_server:server__10.9.3"
}
}
},
{
"category": "product_version_range",
"name": "Server \u003c10.10.1",
"product": {
"name": "Mattermost Mattermost Server \u003c10.10.1",
"product_id": "T045617"
}
},
{
"category": "product_version",
"name": "Server 10.10.1",
"product": {
"name": "Mattermost Mattermost Server 10.10.1",
"product_id": "T045617-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mattermost:mattermost_server:server__10.10.1"
}
}
},
{
"category": "product_version_range",
"name": "Server \u003c10.9.4",
"product": {
"name": "Mattermost Mattermost Server \u003c10.9.4",
"product_id": "T045618"
}
},
{
"category": "product_version",
"name": "Server 10.9.4",
"product": {
"name": "Mattermost Mattermost Server 10.9.4",
"product_id": "T045618-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mattermost:mattermost_server:server__10.9.4"
}
}
},
{
"category": "product_version_range",
"name": "Server \u003c10.10.0",
"product": {
"name": "Mattermost Mattermost Server \u003c10.10.0",
"product_id": "T045619"
}
},
{
"category": "product_version",
"name": "Server 10.10.0",
"product": {
"name": "Mattermost Mattermost Server 10.10.0",
"product_id": "T045619-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mattermost:mattermost_server:server__10.10.0"
}
}
},
{
"category": "product_version_range",
"name": "Server \u003c10.9.2",
"product": {
"name": "Mattermost Mattermost Server \u003c10.9.2",
"product_id": "T045620"
}
},
{
"category": "product_version",
"name": "Server 10.9.2",
"product": {
"name": "Mattermost Mattermost Server 10.9.2",
"product_id": "T045620-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:mattermost:mattermost_server:server__10.9.2"
}
}
}
],
"category": "product_name",
"name": "Mattermost"
}
],
"category": "vendor",
"name": "Mattermost"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-36530",
"product_status": {
"known_affected": [
"T045611",
"T045613",
"T045612",
"T045615",
"T045614",
"T045617",
"T045616",
"T045619",
"T045618",
"T045620"
]
},
"release_date": "2025-07-22T22:00:00.000+00:00",
"title": "CVE-2025-36530"
},
{
"cve": "CVE-2025-47700",
"product_status": {
"known_affected": [
"T045611",
"T045613",
"T045612",
"T045615",
"T045614",
"T045617",
"T045616",
"T045619",
"T045618",
"T045620"
]
},
"release_date": "2025-07-22T22:00:00.000+00:00",
"title": "CVE-2025-47700"
},
{
"cve": "CVE-2025-47870",
"product_status": {
"known_affected": [
"T045611",
"T045613",
"T045612",
"T045615",
"T045614",
"T045617",
"T045616",
"T045619",
"T045618",
"T045620"
]
},
"release_date": "2025-07-22T22:00:00.000+00:00",
"title": "CVE-2025-47870"
},
{
"cve": "CVE-2025-49222",
"product_status": {
"known_affected": [
"T045611",
"T045613",
"T045612",
"T045615",
"T045614",
"T045617",
"T045616",
"T045619",
"T045618",
"T045620"
]
},
"release_date": "2025-07-22T22:00:00.000+00:00",
"title": "CVE-2025-49222"
},
{
"cve": "CVE-2025-49810",
"product_status": {
"known_affected": [
"T045611",
"T045613",
"T045612",
"T045615",
"T045614",
"T045617",
"T045616",
"T045619",
"T045618",
"T045620"
]
},
"release_date": "2025-07-22T22:00:00.000+00:00",
"title": "CVE-2025-49810"
},
{
"cve": "CVE-2025-53971",
"product_status": {
"known_affected": [
"T045611",
"T045613",
"T045612",
"T045615",
"T045614",
"T045617",
"T045616",
"T045619",
"T045618",
"T045620"
]
},
"release_date": "2025-07-22T22:00:00.000+00:00",
"title": "CVE-2025-53971"
},
{
"cve": "CVE-2025-6465",
"product_status": {
"known_affected": [
"T045611",
"T045613",
"T045612",
"T045615",
"T045614",
"T045617",
"T045616",
"T045619",
"T045618",
"T045620"
]
},
"release_date": "2025-07-22T22:00:00.000+00:00",
"title": "CVE-2025-6465"
},
{
"cve": "CVE-2025-8023",
"product_status": {
"known_affected": [
"T045611",
"T045613",
"T045612",
"T045615",
"T045614",
"T045617",
"T045616",
"T045619",
"T045618",
"T045620"
]
},
"release_date": "2025-07-22T22:00:00.000+00:00",
"title": "CVE-2025-8023"
},
{
"cve": "CVE-2025-8402",
"product_status": {
"known_affected": [
"T045611",
"T045613",
"T045612",
"T045615",
"T045614",
"T045617",
"T045616",
"T045619",
"T045618",
"T045620"
]
},
"release_date": "2025-07-22T22:00:00.000+00:00",
"title": "CVE-2025-8402"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…