Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit e9215787b3be · 2025-11-14T09:32:20.000Z
GHSA-ff85-qw3h-g9vp GHSA-j6gg-r5jc-47cm GHSA-x3hx-ch7p-8xgg GHSA-xpg8-8xpv-948p
diff --git a/advisories/unreviewed/2025/11/GHSA-ff85-qw3h-g9vp/GHSA-ff85-qw3h-g9vp.json b/advisories/unreviewed/2025/11/GHSA-ff85-qw3h-g9vp/GHSA-ff85-qw3h-g9vp.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ff85-qw3h-g9vp",
+  "modified": "2025-11-14T09:30:27Z",
+  "published": "2025-11-14T09:30:27Z",
+  "aliases": [
+    "CVE-2025-55073"
+  ],
+  "details": "Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55073"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-14T08:15:45Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-j6gg-r5jc-47cm/GHSA-j6gg-r5jc-47cm.json b/advisories/unreviewed/2025/11/GHSA-j6gg-r5jc-47cm/GHSA-j6gg-r5jc-47cm.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j6gg-r5jc-47cm",
+  "modified": "2025-11-14T09:30:27Z",
+  "published": "2025-11-14T09:30:27Z",
+  "aliases": [
+    "CVE-2025-11776"
+  ],
+  "details": "Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11776"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-14T08:15:43Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-x3hx-ch7p-8xgg/GHSA-x3hx-ch7p-8xgg.json b/advisories/unreviewed/2025/11/GHSA-x3hx-ch7p-8xgg/GHSA-x3hx-ch7p-8xgg.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x3hx-ch7p-8xgg",
+  "modified": "2025-11-14T09:30:27Z",
+  "published": "2025-11-14T09:30:27Z",
+  "aliases": [
+    "CVE-2025-41436"
+  ],
+  "details": "Mattermost versions <11.0 fail to properly enforce the \"Allow users to view archived channels\" setting which allows regular users to access archived channel content and files via the \"Open in Channel\" functionality from followed threads",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41436"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-14T08:15:45Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-xpg8-8xpv-948p/GHSA-xpg8-8xpv-948p.json b/advisories/unreviewed/2025/11/GHSA-xpg8-8xpv-948p/GHSA-xpg8-8xpv-948p.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xpg8-8xpv-948p",
+  "modified": "2025-11-14T09:30:27Z",
+  "published": "2025-11-14T09:30:27Z",
+  "aliases": [
+    "CVE-2025-55070"
+  ],
+  "details": "Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55070"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-14T08:15:45Z"
+  }
+}
