{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-3230","assignerOrgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","state":"PUBLISHED","assignerShortName":"Mattermost","dateReserved":"2025-04-03T15:46:34.595Z","datePublished":"2025-05-30T14:22:09.392Z","dateUpdated":"2025-05-30T14:42:40.557Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Mattermost","vendor":"Mattermost","versions":[{"status":"affected","version":"10.7.0","versionType":"semver"},{"lessThanOrEqual":"10.6.2","status":"affected","version":"10.6.0","versionType":"semver"},{"lessThanOrEqual":"10.5.3","status":"affected","version":"10.5.0","versionType":"semver"},{"lessThanOrEqual":"9.11.12","status":"affected","version":"9.11.0","versionType":"semver"},{"status":"unaffected","version":"10.8.0"},{"status":"unaffected","version":"10.7.1"},{"status":"unaffected","version":"10.6.3"},{"status":"unaffected","version":"10.5.4"},{"status":"unaffected","version":"9.11.13"}]}],"credits":[{"lang":"en","type":"finder","value":"eAhmed"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.

"}],"value":"Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-303","description":"CWE-303: Incorrect Implementation of Authentication Algorithm","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","shortName":"Mattermost","dateUpdated":"2025-05-30T14:22:09.392Z"},"references":[{"url":"https://mattermost.com/security-updates"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

Update Mattermost to versions 10.8.0, 10.7.1, 10.6.3, 10.5.4, 9.11.13 or higher.

"}],"value":"Update Mattermost to versions 10.8.0, 10.7.1, 10.6.3, 10.5.4, 9.11.13 or higher."}],"source":{"advisory":"MMSA-2025-00463","defect":["https://mattermost.atlassian.net/browse/MM-63479"],"discovery":"EXTERNAL"},"title":"Bypass of System Admin User Deactivation Controls for Personal Access Tokens in Mattermost Server","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-05-30T14:42:24.325076Z","id":"CVE-2025-3230","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-30T14:42:40.557Z"}}]}}