CVE-2025-14273
BaseFortify
Publication date: 2025-12-22
Last updated on: 2025-12-29
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.8 (exc) |
| mattermost | mattermost_server | From 10.12.0 (inc) to 10.12.4 (exc) |
| mattermost | mattermost_server | From 11.0.0 (inc) to 11.0.6 (exc) |
| mattermost | mattermost_server | From 11.1.0 (inc) to 11.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-303 | The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in certain versions of Mattermost and its Jira plugin where authentication and issue-key path restrictions are not properly enforced. An unauthenticated attacker who knows a valid user ID can send authenticated GET and POST requests to the Jira server by crafting plugin payloads that spoof the user ID and inject arbitrary issue key paths.
How can this vulnerability impact me? :
The vulnerability allows an unauthenticated attacker to perform actions on the Jira server as if they were an authenticated user, potentially leading to unauthorized modification or access to Jira issues. This can result in integrity and availability impacts on the affected systems.