CVE-2025-12419
BaseFortify
Publication date: 2025-11-27
Last updated on: 2025-12-03
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.5.0 (inc) to 10.5.13 (exc) |
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.5 (exc) |
| mattermost | mattermost_server | From 10.12.0 (inc) to 10.12.2 (exc) |
| mattermost | mattermost_server | From 11.0.0 (inc) to 11.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-303 | The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in certain versions of Mattermost where the software fails to properly validate OAuth state tokens during OpenID Connect authentication. This flaw allows an authenticated attacker who has team creation or admin privileges to manipulate authentication data during the OAuth completion process and take over any user account.
How can this vulnerability impact me? :
An attacker with team creation or admin privileges can exploit this vulnerability to take over any user account, potentially gaining unauthorized access to sensitive information, performing actions on behalf of other users, and compromising the integrity and confidentiality of the system.