CVE-2025-24490

Published Feb 24, 2025

Last updated 6 months ago

CVSS critical 9.6

Overview

Description
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reordering specially crafted boards categories.
Source
responsibledisclosure@mattermost.com
NVD status
Analyzed
Products
mattermost_server

Risk scores

CVSS 3.1

Type
Primary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

responsibledisclosure@mattermost.com
CWE-89

Social media

Hype score
Not currently trending

  1. CVE-2025-24490 (CVSS:9.6, CRITICAL) is Awaiting Analysis. Mattermost versions 10.4.x &lt;= 10.4.1, 9.11.x &lt;= 9.11.7, 10.3.x &lt;= 10.3.2, 10.2.x &lt;= 10.2.2 fail to use prepared statemen..https://t.co/eHfNLHNvip #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nv

    @cracbot

    1 Mar 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-24490 (CVSS:9.6, CRITICAL) is Awaiting Analysis. Mattermost versions 10.4.x &lt;= 10.4.1, 9.11.x &lt;= 9.11.7, 10.3.x &lt;= 10.3.2, 10.2.x &lt;= 10.2.2 fail to use prepared statemen..https://t.co/eHfNLHNvip #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nv

    @cracbot

    28 Feb 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 ALERT: Mattermost Users, Patch Now! 🚨 Three nasty vulns just dropped – CVE-2025-20051, CVE-2025-24490, and CVE-2025-25279. Attackers could exploit these to snoop on any file or unleash SQL injection chaos. ZoomEye’s already clocked 35.1k+ exposed instances with this… https

    @zoomeye_team

    25 Feb 2025

    425 Impressions

    1 Retweet

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. Critical Mattermost Flaws (CVE-2025-20051, CVE-2025-24490, CVE-2025-25279) Expose Systems to File Read and SQL Injection Attacks https://t.co/UPqEin5F1b

    @Dinosn

    25 Feb 2025

    2234 Impressions

    7 Retweets

    17 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  5. ⚠️⚠️Critical Mattermost Flaws Expose Systems to File Read and SQL Injection Attacks CVE-2025-20051, CVE-2025-24490, CVE-2025-25279 🎯84k+ Results are found on the https://t.co/pb16tGYaKe nearly year. 🔗FOFA Link:https://t.co/bRJ5LAaio1 FOFA Query:app="Mattermost" 🔖… https://

    @fofabot

    25 Feb 2025

    970 Impressions

    7 Retweets

    11 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 CVE-2025-24490 ⚠️🔴 CRITICAL (9.6) 🏢 Mattermost - Mattermost 🏗️ 10.4.0 🔗 https://t.co/kImZIYcYXl #CyberCron #VulnAlert https://t.co/KWXOpq3dO5

    @cybercronai

    24 Feb 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-24490 Mattermost versions 10.4.x &lt;= 10.4.1, 9.11.x &lt;= 9.11.7, 10.3.x &lt;= 10.3.2, 10.2.x &lt;= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which… https://t.co/7T8PvYnt8W

    @CVEnew

    24 Feb 2025

    443 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. [CVE-2025-24490: CRITICAL] Critical security vulnerability in Mattermost versions 10.4.x &lt;= 10.4.1, 9.11.x &lt;= 9.11.7, 10.3.x &lt;= 10.3.2, 10.2.x &lt;= 10.2.2. SQL injection can expose sensitive data. Update immediately.#cybersecurity,#vulnerability https://t.co/iLdnG4JY0a

    @CveFindCom

    24 Feb 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574CVE-2026-4274
  2. Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow.. Mattermost Advisory ID: MMSA-2026-00590CVE-2026-27656
  3. Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request.. Mattermost Advisory ID: MMSA-2026-00578CVE-2026-27659
  4. Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566CVE-2026-26233
  5. Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitHub.. Mattermost Advisory ID: MMSA-2026-00595CVE-2026-20719

References

Sources include official advisories and independent security research.