Upstream information
Description
Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently not rated by SUSE as it is not affecting the SUSE Enterprise products.
| CVSS detail | CNA (Mattermost) |
|---|---|
| Base Score | 3 |
| Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality Impact | None |
| Integrity Impact | Low |
| Availability Impact | None |
| CVSSv3 Version | 3.1 |
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|
SUSE Timeline for this CVE
CVE page created: Wed Dec 17 16:02:21 2025CVE page last modified: Tue Jan 6 14:32:10 2026