- Description
- Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625
- Source
- responsibledisclosure@mattermost.com
- NVD status
- Analyzed
- Products
- mattermost_server
CVSS 3.1
- Type
- Primary
- Base score
- 8.1
- Impact score
- 5.2
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- Severity
- HIGH
- responsibledisclosure@mattermost.com
- CWE-352
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FCC7A7BB-02AF-4CC9-9F33-8787C87B73F0",
"versionEndExcluding": "10.11.13",
"versionStartIncluding": "10.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9041D47-B3B0-4958-BD55-FC8A17789C72",
"versionEndExcluding": "11.3.3",
"versionStartIncluding": "11.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D1C9027C-4E83-47E3-8D96-1928F34FBD8E",
"versionEndExcluding": "11.4.3",
"versionStartIncluding": "11.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3D6803A0-3760-4659-95A9-3859B62C0EF4",
"versionEndExcluding": "11.5.1",
"versionStartIncluding": "11.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]