CVE-2025-27538
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-27538
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27538.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-27538
- Aliases
- Downstream
- Related
- Published
- 2025-04-16T08:15:14Z
- Modified
- 2025-10-10T05:08:01.682789Z
- Severity
-
- 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with editotherusers permission to activate or deactivate MFA for other users, even if those users have not set up MFA.
- References
Affected packages
Git / github.com/mattermost/mattermost
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mattermost/mattermost
- Events
- Type
- GIT
- Repo
- https://github.com/mattermost/mattermost-server
- Events
Affected versions
@mattermost/client@10.*
@mattermost/client@10.5.0
@mattermost/client@9.*
@mattermost/client@9.11.0
@mattermost/types@10.*
@mattermost/types@10.5.0
@mattermost/types@9.*
@mattermost/types@9.11.0
v10.*
v10.5.0
v10.5.0-rc6
v10.5.1
v10.5.1-rc1
v10.5.1-rc2
v9.*
v9.11.0
v9.11.0-rc3
v9.11.1
v9.11.1-rc1
v9.11.10-rc1
v9.11.2
v9.11.2-rc1
v9.11.2-rc2
v9.11.3
v9.11.3-rc1
v9.11.3-rc2
v9.11.4
v9.11.4-rc1
v9.11.5
v9.11.5-rc1
v9.11.6
v9.11.6-rc1
v9.11.6-rc2
v9.11.7
v9.11.7-rc1
v9.11.7-rc2
v9.11.7-rc3
v9.11.8
v9.11.9
v9.11.9-rc1
v9.11.9-rc2