Upstream information

CVE-2025-4128 at MITRE

Description

Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.

SUSE information

Overall state of this security issue: Resolved

This issue is currently not rated by SUSE as it is not affecting the SUSE Enterprise products.

CVSS v3 Scores
  CNA (Mattermost)
Base Score 3.1
Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Impact Low
Integrity Impact None
Availability Impact None
CVSSv3 Version 3.1
No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • govulncheck-vulndb >= 0.0.20250612T141001-1.1
Patchnames:
openSUSE-Tumbleweed-2025-15225


SUSE Timeline for this CVE

CVE page created: Wed Jun 11 14:00:04 2025
CVE page last modified: Mon Jul 7 12:38:21 2025