GHSA-j5jw-m2ph-3jjf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j5jw-m2ph-3jjf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-j5jw-m2ph-3jjf/GHSA-j5jw-m2ph-3jjf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j5jw-m2ph-3jjf
- Aliases
-
- CVE-2025-27538
- GO-2025-3620
- Published
- 2025-04-16T09:32:13Z
- Modified
- 2025-04-23T15:15:31Z
- Severity
-
- 2.2 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Mattermost Missing Authentication for Critical Function
- Details
-
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with editotherusers permission to activate or deactivate MFA for other users, even if those users have not set up MFA.
- Database specific
{ "nvd_published_at": "2025-04-16T08:15:14Z", "cwe_ids": [ "CWE-306" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-04-16T14:52:34Z" }- References
Affected packages
Go / github.com/mattermost/mattermost/server/v8
Package
- Name
- github.com/mattermost/mattermost/server/v8
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/mattermost/mattermost/server/v8
Go / github.com/mattermost/mattermost/server/v8
Package
- Name
- github.com/mattermost/mattermost/server/v8
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/mattermost/mattermost/server/v8
Go / github.com/mattermost/mattermost/server/v8
Package
- Name
- github.com/mattermost/mattermost/server/v8
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/mattermost/mattermost/server/v8