CVE-2025-13324
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-29
Assigner: Mattermost, Inc.
Description
Description
Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.6 (exc) |
| mattermost | mattermost_server | From 10.12.0 (inc) to 10.12.3 (exc) |
| mattermost | mattermost_server | From 11.0.0 (inc) to 11.0.5 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
