CVE-2025-1792

Aliases:GHSA-hc6v-386m-93pqGO-2025-3730
Advisory lineage Upstream: 0 Downstream: 1
Analyzed
Published: 30 May 2025, 14:22
Last modified:12 Jun 2025, 17:07

Vulnerability Summary

Overall Risk (default)
low
12/100
CVSS Score
3.1 LOW
v3.1 (cve.org)
EPSS Score
0.14% LOW
0% probability +0.11%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

30 May 2025, 14:22
Published
Vulnerability first disclosed
12 Jun 2025, 17:07
Last Modified
Vulnerability information updated

Description

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.

CVSS Metrics

  • v3.1LOWScore: 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.14% Percentile: 33%

Techniques & Countermeasures

  • CWE-863Incorrect Authorization

    The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Affected Systems

  • github.com/mattermostmattermost-server

    ≥ 10.6.0-rc1+incompatible, < 10.7.1+incompatible

  • github.com/mattermost/mattermost-serverv5

    all

  • github.com/mattermost/mattermost-serverv6

    all

  • github.com/mattermost/mattermost/serverv8

    ≥ 10.6.0-rc1, < 10.7.1 | ≥ 10.0.0-rc1, < 10.5.4 | ≥ 9.0.0-rc1, < 9.11.13 | < 8.0.0-20250414110750-c23f44fe8ed0

  • mattermostmattermost

    ≥ 10.5.0, ≤ 10.5.3 | ≥ 9.11.0, ≤ 9.11.12

  • mattermostmattermost_server

    ≥ 9.11.0, < 9.11.13 | ≥ 10.5.0, < 10.5.4 | ≥ 10.7.0, < 10.7.1

References (5)