CVE-2025-3227
BaseFortify
Publication date: 2025-06-20
Last updated on: 2025-07-08
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 9.11.0 (inc) to 9.11.16 (exc) |
| mattermost | mattermost_server | From 10.5.0 (inc) to 10.5.6 (exc) |
| mattermost | mattermost_server | From 10.6.0 (inc) to 10.6.6 (exc) |
| mattermost | mattermost_server | From 10.7.0 (inc) to 10.7.3 (exc) |
| mattermost | mattermost_server | 10.8.0 |
| mattermost | mattermost_server | 10.8.0 |
| mattermost | mattermost_server | 10.8.0 |
| mattermost | mattermost_server | 10.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in certain versions of Mattermost where the system fails to properly enforce permissions related to managing channel members during playbook runs. Specifically, authenticated users who do not have the 'Manage Channel Members' permission can still add or remove users from both public and private channels by manipulating the participants of a playbook run linked to a channel.
How can this vulnerability impact me? :
The vulnerability allows unauthorized users to modify channel membership, potentially leading to unauthorized access or removal of users from channels. This can disrupt communication, expose sensitive information to unintended users, or block legitimate users from accessing important channels.