CVE-2025-3230

Published May 30, 2025

Last updated 2 months ago

CVSS medium 5.4

Overview

Description: Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.
Source: responsibledisclosure@mattermost.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 5.4
Impact score: 2.5
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

responsibledisclosure@mattermost.com: CWE-303

Hype score: Not currently trending

CVE-2025-3230 Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, … https://t.co/zYMioucdpb
@CVEnew
30 May 2025
68 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes

References

Sources include official advisories and independent security research.