Описание
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-55073
- https://github.com/mattermost/mattermost/commit/375ce229f4923205394d8f27925372b2cbf28130
- https://github.com/mattermost/mattermost/commit/6c288aa62bb3343183ec1d0a06360d14aa0193e9
- https://github.com/mattermost/mattermost/commit/a41db04d2746ab549d056db4ede4cd803f64989c
- https://github.com/mattermost/mattermost/commit/b822cea06bf5683a176e2c92711241bd29cd9389
- https://github.com/mattermost/mattermost/commit/e47349ea0fc072ee1dfb196d9bb1c8fd1a589224
- https://mattermost.com/security-updates
Пакеты
github.com/mattermost/mattermost-server
>= 10.11.0, < 10.11.4
10.11.4
github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.12
10.5.12
github.com/mattermost/mattermost-server
>= 10.12.0, < 10.12.1
10.12.1
github.com/mattermost/mattermost/server/v8
< 8.0.0-20250929212932-a41db04d2746
8.0.0-20250929212932-a41db04d2746
Связанные уязвимости
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= ...
Уязвимость плагина MSTeams приложения для обмена мгновенными сообщениями Mattermost, позволяющая нарушителю оказать воздействие на целостность и доступность защищаемой информации