{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1472", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2025-02-19T15:34:14.680Z", "datePublished": "2025-03-19T14:11:03.977Z", "dateUpdated": "2025-03-19T14:40:59.930Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "9.11.8", "status": "affected", "version": "9.11.0", "versionType": "semver"}, {"status": "unaffected", "version": "10.5.0"}, {"status": "unaffected", "version": "9.11.9"}]}], "credits": [{"lang": "en", "type": "finder", "value": "jeetbhdr"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Mattermost versions 9.11.x &lt;= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.</p>"}], "value": "Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-03-19T14:11:03.977Z"}, "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Update Mattermost to versions 10.5.0, 9.11.9 or higher.</p>"}], "value": "Update Mattermost to versions 10.5.0, 9.11.9 or higher."}], "source": {"advisory": "MMSA-2024-00411", "defect": ["https://mattermost.atlassian.net/browse/MM-62053"], "discovery": "EXTERNAL"}, "title": "Unauthorized View Access to Site Statistics and Team Statistics", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-19T14:39:55.742466Z", "id": "CVE-2025-1472", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-19T14:40:59.930Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1472", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-19T14:39:55.742466Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-19T14:39:59.425Z"}}], "cna": {"title": "Unauthorized View Access to Site Statistics and Team Statistics", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-62053"], "advisory": "MMSA-2024-00411", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "jeetbhdr"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "9.11.0", "versionType": "semver", "lessThanOrEqual": "9.11.8"}, {"status": "unaffected", "version": "10.5.0"}, {"status": "unaffected", "version": "9.11.9"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 10.5.0, 9.11.9 or higher.", "supportingMedia": [{"type": "text/html", "value": "<p>Update Mattermost to versions 10.5.0, 9.11.9 or higher.</p>", "base64": false}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.", "supportingMedia": [{"type": "text/html", "value": "<p>Mattermost versions 9.11.x &lt;= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-03-19T14:11:03.977Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1472", "state": "PUBLISHED", "dateUpdated": "2025-03-19T14:40:59.930Z", "dateReserved": "2025-02-19T15:34:14.680Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2025-03-19T14:11:03.977Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics."}], "id": "CVE-2025-1472", "lastModified": "2025-03-19T15:15:53.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2025-03-19T15:15:53.433", "references": [{"source": "responsibledisclosure@mattermost.com", "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}