{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-3611","assignerOrgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","state":"PUBLISHED","assignerShortName":"Mattermost","dateReserved":"2025-04-14T20:40:50.972Z","datePublished":"2025-05-30T14:22:09.854Z","dateUpdated":"2025-05-30T14:37:42.109Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Mattermost","vendor":"Mattermost","versions":[{"status":"affected","version":"10.7.0","versionType":"semver"},{"lessThanOrEqual":"10.5.3","status":"affected","version":"10.5.0","versionType":"semver"},{"lessThanOrEqual":"9.11.12","status":"affected","version":"9.11.0","versionType":"semver"},{"status":"unaffected","version":"10.8.0"},{"status":"unaffected","version":"10.7.1"},{"status":"unaffected","version":"10.5.4"},{"status":"unaffected","version":"9.11.13"}]}],"credits":[{"lang":"en","type":"finder","value":"hackit_bharat"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Mattermost versions 10.7.x &lt;= 10.7.0, 10.5.x &lt;= 10.5.3, 9.11.x &lt;= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.</p>"}],"value":"Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.1,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863: Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","shortName":"Mattermost","dateUpdated":"2025-05-30T14:22:09.854Z"},"references":[{"url":"https://mattermost.com/security-updates"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Update Mattermost to versions 10.8.0, 10.7.1, 10.5.4, 9.11.13 or higher.</p>"}],"value":"Update Mattermost to versions 10.8.0, 10.7.1, 10.5.4, 9.11.13 or higher."}],"source":{"advisory":"MMSA-2025-00462","defect":["https://mattermost.atlassian.net/browse/MM-63377"],"discovery":"EXTERNAL"},"title":"Improper Access Control in Mattermost allows System Managers to view team details despite role restrictions","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-05-30T14:37:28.621750Z","id":"CVE-2025-3611","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-30T14:37:42.109Z"}}]}}