CVE-2025-12559
BaseFortify
Publication date: 2025-11-27
Last updated on: 2025-12-03
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.5.0 (inc) to 10.5.13 (exc) |
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.5 (exc) |
| mattermost | mattermost_server | From 10.12.0 (inc) to 10.12.2 (exc) |
| mattermost | mattermost_server | From 11.0.0 (inc) to 11.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in certain versions of Mattermost where team email addresses are not properly restricted and sanitized. As a result, any authenticated user can access and view team email addresses through the GET /api/v4/channels/{channel_id}/common_teams endpoint, even though these email addresses should only be visible to Team Admins.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of team email addresses to any authenticated user. This could increase the risk of phishing attacks, spam, or other social engineering attacks targeting team members, potentially compromising organizational security and privacy.