CVE-2025-1472

MEDIUM4.3EPSS 0.24%

Mattermost Fails to Properly Perform Viewer Role Authorization

Published: 3/19/2025Modified: 3/25/2025

Also known as:GHSA-fqrq-xmxj-v47xGO-2025-3534

Description

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

Affected packages (6)

Go/github.com/mattermost/mattermost-server>= 9.11.0, < 9.11.9
Go/github.com/mattermost/mattermost-server>= 9.11.0+incompatible, < 9.11.9+incompatible
Go/github.com/mattermost/mattermost-server/v5from 0
Go/github.com/mattermost/mattermost-server/v6from 0
Go/github.com/mattermost/mattermost/server/v8>= 9.11.0, < 9.11.9
Go/github.com/mattermost/mattermost/server/v8from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://github.com/advisories/GHSA-fqrq-xmxj-v47x
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-1472
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://mattermost.com/security-updates