Improper Authorization

github.com/mattermost/mattermost-server is vulnerable to improper authorization. The vulnerability is due to failure in validating the relationship between the post being updated and the MSTeams plugin OAuth flow, which allows an attacker to exploit this via a crafted OAuth redirect URL to edit...

Mattermost Server 10.5.x < 10.5.12 / 10.11.x 10.11.4 / 10.12.x < 10.12.1 / 11.0.0 Multiple Vulnerabilities (MMSA-2025-00541, MMSA-2025-00492)

The version of Mattermost Server installed on the remote host is affected by multiple vulnerabilities as referenced in the MMSA-2025-00541, MMSA-2025-00492 advisory. - Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system...

Missing Authentication for Critical Function

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the MSTeams plugin OAuth flow. An attacker can modify arbitrary posts by sending a crafted OAuth...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the MSTeams plugin OAuth flow. An attacker can modify arbitrary posts by sending a crafted OAuth redirect URL. Remediation Upgrade github.com/mattermost/mattermost/server/channels/store t...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the MSTeams plugin OAuth flow. An attacker can modify arbitrary posts by sending a crafted OAuth redirect URL. Remediation Upgrade...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the MSTeams plugin OAuth flow. An attacker can modify arbitrary posts by sending a crafted OAuth redirect URL. Remediation Upgrade...

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. A security vulnerability exists in Mattermost versions 10.11.3 and prior to 10.11.x, 10.5.11 and prior to 10.5.x, and 10.12.0 and prior to 10.12.x. The vulnerability stems from an unvalidated post upda...

Timing Attack

github.com/mattermost/mattermost-server is vulnerable to a Timing attack. The vulnerability is due to improper implementation of constant time comparison when comparing the MSTeams plugin webhook secret, allows an attacker to exploit timing differences in the comparison process to extract the...

Mattermost vulnerable to Observable Timing Discrepancy

Mattermost Plugin MSTeams versions 2.1.0 and Mattermost Server versions 10.5.x =10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack...

CVE-2025-27936

Mattermost Plugin MSTeams versions 2.1.0 and Mattermost Server versions 10.5.x =10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack...

CVE-2025-27936

Mattermost Plugin MSTeams versions 2.1.0 and Mattermost Server versions 10.5.x =10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack...

CVE-2025-27936 Webhook Secret Exposure via Timing attack in MSteams plugin

Mattermost Plugin MSTeams versions 2.1.0 and Mattermost Server versions 10.5.x =10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack...

CVE-2025-27936

CVE-2025-27936 (Mattermost/MS Teams plugin timing attack) : The connected advisory GO-2025-3618 reports a vulnerability in the Mattermost ecosystem where the MSTeams plugin (github.com/mattermost/mattermost-plugin-msteams) and related Mattermost Server versions are susceptible to an observable ti...

PT-2025-16571 · Mattermost · Mattermost Server +1

Name of the Vulnerable Software and Affected Versions: Mattermost Plugin MSTeams versions prior to 2.1.0 Mattermost Server versions 10.5.x through 10.5.1 Description: The issue allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret...