CVE-2025-1472

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-1472

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1472.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-1472

Aliases

Downstream

openSUSE-SU-2025:14937-1

Related

openSUSE-SU-2025:14937-1

Published

2025-03-19T15:15:53.433Z

Modified

2026-04-10T05:21:36.994127Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type

GIT

Repo

https://github.com/mattermost/mattermost-server

Events

Introduced

0bc2ddd42375a75ab14e63f038165150d4f07659

Fixed

07bb4f96ed7400080f2ded5e910a947b8e6c168f

Database specific

{
    "versions": [
        {
            "introduced": "9.11.0"
        },
        {
            "fixed": "9.11.9"
        }
    ]
}

Affected versions

@mattermost/client@9.*

@mattermost/client@9.11.0

@mattermost/types@9.*

@mattermost/types@9.11.0

v9.*

v9.11.0

v9.11.0-rc3

v9.11.1

v9.11.1-rc1

v9.11.2

v9.11.2-rc1

v9.11.2-rc2

v9.11.3

v9.11.3-rc1

v9.11.3-rc2

v9.11.4

v9.11.4-rc1

v9.11.5

v9.11.5-rc1

v9.11.6

v9.11.6-rc1

v9.11.6-rc2

v9.11.7

v9.11.7-rc1

v9.11.7-rc2

v9.11.7-rc3

v9.11.8

v9.11.9-rc1

v9.11.9-rc2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1472.json"