46 matches found
Improper Authorization
github.com/mattermost/mattermost-server is vulnerable to Improper Authorization. The vulnerability is due to failure to verify whether a user has permission to join a Mattermost team when processing the original invite token, which allows an attacker to manipulate the RelayState parameter and joi...
Improper Access Control
github.com/mattermost/mattermost-server is vulnerable to improper access control. The vulnerability is due to Mattermost failing to verify whether a user has permission to join a team when using the original invite token, which allows an attacker to manipulate the OAuth state and join any team on...
CVE-2025-66223 OpenObserve's Invite Token Lifecycle Misconfiguration
OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issue...
SUSE CVE-2025-58073
Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state...
SUSE CVE-2025-58075
Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState...
Mattermost Server 10.5.x < 10.5.11 / 10.10.x < 10.10.3 / 10.11.x 10.11.2 / 10.12.0 Multiple Vulnerabilities (MMSA-2025-00507, MMSA-2025-00508)
The version of Mattermost Server installed on the remote host is affected by multiple vulnerabilities as referenced in the MMSA-2025-00507, MMSA-2025-00508 advisories. - Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.3, 10.5.x = 10.5.10 fail to verify a user has permission to join a...
CVE-2025-58075
Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState...
Missing Authorization
Overview github.com/mattermost/mattermost/server/v8/channels/web is a platform for secure collaboration across the entire software development lifecycle Affected versions of this package are vulnerable to Missing Authorization in the fullyQualifiedRedirectURL function. An attacker can gain...
Missing Authorization
Overview github.com/mattermost/mattermost-server is an open source Slack-alternative in Golang and React. Affected versions of this package are vulnerable to Missing Authorization in the fullyQualifiedRedirectURL function. An attacker can gain unauthorized access to any team by manipulating the...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the fullyQualifiedRedirectURL function. An attacker can gain unauthorized access to any team by manipulating the invite token, bypassing intended restrictions. Remediation Upgrade...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the fullyQualifiedRedirectURL function. An attacker can gain unauthorized access to any team by manipulating the invite token, bypassing intended restrictions. Remediation Upgrade...
GHSA-R6QJ-894F-5HR2 Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState...
GHSA-6Q7M-P8CC-998R Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state...
EUVD-2025-34740
Mattermost has a Missing Authorization vulnerability...
EUVD-2025-34729
Mattermost has a Missing Authorization vulnerability...
Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state...
Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState...
CVE-2025-58075
Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState...
CVE-2025-58073
Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state...
CVE-2025-58073 Arbitrary Mattermost Team can be joined by manipulating the OAuth state
Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state...