| ID |
CVE-2025-12419
|
| Sažetak |
Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost. |
| Reference |
|
| CVSS |
| Base: | 9.9 |
| Impact: | 6.0 |
| Exploitability: | 3.1 |
|
| Pristup |
| Vektor | Složenost | Autentikacija |
| NETWORK |
LOW |
LOW |
|
| Impact |
| Povjerljivost | Cjelovitost | Dostupnost |
| HIGH |
HIGH |
HIGH |
|
| CVSS vektor |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Zadnje važnije ažuriranje |
27-11-2025 - 18:15 |
| Objavljeno |
27-11-2025 - 16:15 |
