CVE-2025-1472

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-1472

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1472.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-1472

Aliases

Downstream

openSUSE-SU-2025:14937-1

Related

openSUSE-SU-2025:14937-1

Published

2025-03-19T15:15:53Z

Modified

2025-10-03T05:01:53.724798Z

Summary

[none]

Details

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type: GIT
Repo: https://github.com/mattermost/mattermost-server
Events: Introduced

0bc2ddd42375a75ab14e63f038165150d4f07659

Fixed

07bb4f96ed7400080f2ded5e910a947b8e6c168f

Affected versions

@mattermost/client@9.*

@mattermost/client@9.11.0

@mattermost/types@9.*

@mattermost/types@9.11.0

v9.*

v9.11.0

v9.11.0-rc3

v9.11.1

v9.11.1-rc1

v9.11.2

v9.11.2-rc1

v9.11.2-rc2

v9.11.3

v9.11.3-rc1

v9.11.3-rc2

v9.11.4

v9.11.4-rc1

v9.11.5

v9.11.5-rc1

v9.11.6

v9.11.6-rc1

v9.11.6-rc2

v9.11.7

v9.11.7-rc1

v9.11.7-rc2

v9.11.7-rc3

v9.11.8

v9.11.9-rc1

v9.11.9-rc2