First published: Wed Mar 19 2025(Updated: )
Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.
Credit: responsibledisclosure@mattermost.com
Affected Software | Affected Version | How to fix |
---|---|---|
Mattermost | <=9.11.8 | |
go/github.com/mattermost/mattermost-server | >=9.11.0<9.11.9 | 9.11.9 |
go/github.com/mattermost/mattermost/server/v8 | >=9.11.0<9.11.9 | 9.11.9 |
Update Mattermost to versions 10.5.0, 9.11.9 or higher.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2025-1472 has a medium severity rating due to the improper authorization in the Viewer role.
To fix CVE-2025-1472, upgrade Mattermost to a version higher than 9.11.8.
CVE-2025-1472 affects Mattermost versions 9.11.x up to and including 9.11.8.
The risk associated with CVE-2025-1472 is that users with restricted Viewer roles may access sensitive team and site statistics.
There are no official workarounds for CVE-2025-1472; upgrading to a secure version is the recommended approach.