github
diff --git a/‎advisories/github-reviewed/2025/11/GHSA-ff85-qw3h-g9vp/GHSA-ff85-qw3h-g9vp.json‎
Lines changed: 138 additions & 0 deletions b/‎advisories/github-reviewed/2025/11/GHSA-ff85-qw3h-g9vp/GHSA-ff85-qw3h-g9vp.json‎
Lines changed: 138 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2025/11/GHSA-mqp8-pgg5-7x7m/GHSA-mqp8-pgg5-7x7m.json‎
Lines changed: 138 additions & 0 deletions b/‎advisories/github-reviewed/2025/11/GHSA-mqp8-pgg5-7x7m/GHSA-mqp8-pgg5-7x7m.json‎
Lines changed: 138 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2025/11/GHSA-ff85-qw3h-g9vp/GHSA-ff85-qw3h-g9vp.json‎
Lines changed: 0 additions & 36 deletions b/‎advisories/unreviewed/2025/11/GHSA-ff85-qw3h-g9vp/GHSA-ff85-qw3h-g9vp.json‎
Lines changed: 0 additions & 36 deletions
diff --git a/‎advisories/unreviewed/2025/11/GHSA-mqp8-pgg5-7x7m/GHSA-mqp8-pgg5-7x7m.json‎
Lines changed: 0 additions & 36 deletions b/‎advisories/unreviewed/2025/11/GHSA-mqp8-pgg5-7x7m/GHSA-mqp8-pgg5-7x7m.json‎
Lines changed: 0 additions & 36 deletions
@@ -0,0 +1,138 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ff85-qw3h-g9vp",
+  "modified": "2025-11-17T17:58:31Z",
+  "published": "2025-11-14T09:30:27Z",
+  "aliases": [
+    "CVE-2025-55073"
+  ],
+  "summary": "Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL",
+  "details": "Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.11.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.5.0"
+            },
+            {
+              "fixed": "10.5.12"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.12.0"
+            },
+            {
+              "fixed": "10.12.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost/server/v8"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.0.0-20250929212932-a41db04d2746"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55073"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/375ce229f4923205394d8f27925372b2cbf28130"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/6c288aa62bb3343183ec1d0a06360d14aa0193e9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/a41db04d2746ab549d056db4ede4cd803f64989c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/b822cea06bf5683a176e2c92711241bd29cd9389"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/e47349ea0fc072ee1dfb196d9bb1c8fd1a589224"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mattermost/mattermost"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-17T17:58:31Z",
+    "nvd_published_at": "2025-11-14T08:15:45Z"
+  }
+}
@@ -0,0 +1,138 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mqp8-pgg5-7x7m",
+  "modified": "2025-11-17T17:58:51Z",
+  "published": "2025-11-14T12:30:18Z",
+  "aliases": [
+    "CVE-2025-11794"
+  ],
+  "summary": "Mattermost allows system administrators to access password hashes and MFA secrets",
+  "details": "Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.11.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.5.0"
+            },
+            {
+              "fixed": "10.5.12"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.12.0"
+            },
+            {
+              "fixed": "10.12.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost/server/v8"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.0.0-20250929212932-a41db04d2746"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11794"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/375ce229f4923205394d8f27925372b2cbf28130"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/6c288aa62bb3343183ec1d0a06360d14aa0193e9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/a41db04d2746ab549d056db4ede4cd803f64989c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/b822cea06bf5683a176e2c92711241bd29cd9389"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/e47349ea0fc072ee1dfb196d9bb1c8fd1a589224"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mattermost/mattermost"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-17T17:58:51Z",
+    "nvd_published_at": "2025-11-14T11:15:45Z"
+  }
+}