CVE-2025-13324
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-13324
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13324.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-13324
- Aliases
- Published
- 2025-12-17T19:16:01.093Z
- Modified
- 2025-12-31T09:54:15.547409Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.
- References
Affected packages
Git / github.com/mattermost/mattermost
Git / github.com/mattermost/mattermost-server
Affected versions
@mattermost/client@10.*
@mattermost/client@10.11.0
@mattermost/types@10.*
@mattermost/types@10.11.0
mattermost-redux@10.*
mattermost-redux@10.11.0
v10.*
v10.11.0
v10.11.0-rc3
v10.11.1
v10.11.1-rc1
v10.11.2
v10.11.2-rc1
v10.11.2-rc2
v10.11.3
v10.11.4
v10.11.4-rc1
v10.11.4-rc2
v10.11.4-rc3
v10.11.5