CVE-2025-27538

Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.

CVSS v3 2.2 LOW

2.2^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://mattermost.com/security-updates

Configurations

No configuration.

History

16 Apr 2025, 13:25

Type	Values Removed	Values Added
Summary		(es) Las versiones de Mattermost 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 no implementan las comprobaciones de MFA en PUT /api/v4/users/user-id/mfa cuando el usuario solicitante difiere del ID del usuario de destino, lo que permite a los usuarios con permiso edit_other_users activar o desactivar MFA para otros usuarios, incluso si esos usuarios no han configurado MFA.

16 Apr 2025, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-16 08:15

Updated : 2025-04-16 13:25

NVD link : CVE-2025-27538

Mitre link : CVE-2025-27538

CVE.ORG link : CVE-2025-27538

JSON object : View

Products Affected

No product.

CWE

CWE-306

Missing Authentication for Critical Function

2.2 /10