Upstream information
Description
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
CNA (Mattermost) | |
---|---|
Base Score | 5.4 |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | Low |
User Interaction | None |
Scope | Unchanged |
Confidentiality Impact | Low |
Integrity Impact | Low |
Availability Impact | None |
CVSSv3 Version | 3.1 |
List of released packages
Product(s) | Fixed package version(s) | References |
---|---|---|
openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2025-15225 |
SUSE Timeline for this CVE
CVE page created: Fri May 30 17:06:47 2025CVE page last modified: Tue Aug 5 01:23:23 2025