GO-2025-3869 Mattermost Confluence Plugin has Missing Authorization vulnerability in github.com/mattermost/mattermost-plugin-confluence

Mattermost Confluence Plugin has Missing Authorization vulnerability in github.com/mattermost/mattermost-plugin-confluence...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the create subscription endpoint. An attacker can gain unauthorized access to information by creating a subscription to a resource without proper access rights. Remediation Upgrade...

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to improper handling of unexpected request bodies in the update channel subscription endpoint. An attacker can cause the plugin to crash by repeatedly sending invalid request bodi...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to an API call to edit the channel subscription endpoint. An attacker can modify channel subscriptions by sending unauthorized API requests. Remediation Upgrade...

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to improper handling of unexpected request bodies in the update channel subscription endpoint. An attacker can cause the plugin to crash by repeatedly sending invalid request bodi...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to an API call to edit the channel subscription endpoint. An attacker can modify channel subscriptions by sending unauthorized API requests. Remediation Upgrade...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the GET autocomplete/GetChannelSubscriptions endpoint. An attacker can retrieve channel subscription details by making unauthorized API calls. Remediation Upgrade...

Improper Validation of Specified Type of Input

Overview Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via the create channel subscription endpoint when unexpected request bodies are not properly handled. An attacker can cause the plugin to crash by repeatedly sending invalid request bodies...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the create channel subscription endpoint, which fails to check the authorization of the user. An attacker can gain unauthorized access to create channel subscriptions by making API calls...