fkie_cve-2025-3230
Vulnerability from fkie_nvd
Published
2025-05-30 15:15
Modified
2025-05-30 16:31
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.
References
responsibledisclosure@mattermost.comhttps://mattermost.com/security-updates
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mattermost versions 10.7.x \u003c= 10.7.0, 10.6.x \u003c= 10.6.2, 10.5.x \u003c= 10.5.3, 9.11.x \u003c= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens."
    },
    {
      "lang": "es",
      "value": "Las versiones de Mattermost 10.7.x \u0026lt;= 10.7.0, 10.6.x \u0026lt;= 10.6.2, 10.5.x \u0026lt;= 10.5.3, 9.11.x \u0026lt;= 9.11.12 no invalidan correctamente los tokens de acceso personal tras la desactivaci\u00f3n del usuario, lo que permite que los usuarios desactivados mantengan acceso completo al sistema explotando fallas de validaci\u00f3n de tokens de acceso mediante el uso continuo de tokens emitidos previamente."
    }
  ],
  "id": "CVE-2025-3230",
  "lastModified": "2025-05-30T16:31:03.107",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "responsibledisclosure@mattermost.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-30T15:15:41.043",
  "references": [
    {
      "source": "responsibledisclosure@mattermost.com",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "sourceIdentifier": "responsibledisclosure@mattermost.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-303"
        }
      ],
      "source": "responsibledisclosure@mattermost.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.