CVE-2025-54478 Common Vulnerabilities and Exposures

Upstream information

CVE-2025-54478 at MITRE

Description

Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
CVSS detail	CNA (Mattermost)	National Vulnerability Database
Base Score	7.2	5.3
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector	Network	Network
Attack Complexity	Low	Low
Privileges Required	None	None
User Interaction	None	None
Scope	Changed	Unchanged
Confidentiality Impact	Low	None
Integrity Impact	Low	Low
Availability Impact	None	None
CVSSv3 Version	3.1	3.1

No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s)	Fixed package version(s)	References
Image SLE-Micro-BYOS-EC2 Image SLE-Micro-EC2	`cloud-netconfig-ec2 >= 1.18-slfo.1.1_1.1`
Image SLE-Micro-BYOS Image SLE-Micro-BYOS-GCE Image SLE-Micro-GCE	`cloud-netconfig-gce >= 1.18-slfo.1.1_1.1`
Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS-Azure	`cloud-netconfig-azure >= 1.18-slfo.1.1_1.1`
openSUSE Tumbleweed	`govulncheck-vulndb >= 0.0.20250818T190335-1.1`	Patchnames: openSUSE-Tumbleweed-2025-15469

SUSE Timeline for this CVE

CVE page created: Mon Aug 11 22:02:03 2025
CVE page last modified: Sat May 9 11:34:06 2026