Skip to content

Commit 8ca8b49

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-x3r8-2hmh-89f5 GHSA-x3r8-2hmh-89f5
1 parent c81a010 commit 8ca8b49

File tree

2 files changed

+152
-36
lines changed

2 files changed

+152
-36
lines changed

advisories/github-reviewed/2025/12/GHSA-x3r8-2hmh-89f5/GHSA-x3r8-2hmh-89f5.json

Lines changed: 152 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,152 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-x3r8-2hmh-89f5",
4+
"modified": "2025-12-20T17:27:10Z",
5+
"published": "2025-12-17T21:30:48Z",
6+
"aliases": [
7+
"CVE-2025-13324"
8+
],
9+
"summary": "Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation",
10+
"details": "Mattermost versions 10.11.x < 10.11.5, 11.0.x < 11.0.4, 10.12.x < 10.12.2 fail to invalidate invite tokens after use which allows malicious actors who have intercepted invite tokens to manipulate channel memberships including adding or removing users from private channels via token replay attack.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/mattermost/mattermost"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "10.12.0"
29+
},
30+
{
31+
"fixed": "10.12.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/mattermost/mattermost"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "10.11.0-rc1"
48+
},
49+
{
50+
"fixed": "10.11.5"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Go",
59+
"name": "github.com/mattermost/mattermost"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "11.0.0-alpha.1"
67+
},
68+
{
69+
"fixed": "11.0.4"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Go",
78+
"name": "github.com/mattermost/mattermost/server/v8"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "0"
86+
},
87+
{
88+
"fixed": "8.0.0-20251031095924-e7e23b94e006"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Go",
97+
"name": "github.com/mattermost/mattermost-server"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "0"
105+
},
106+
{
107+
"fixed": "11.0.4"
108+
}
109+
]
110+
}
111+
],
112+
"database_specific": {
113+
"last_known_affected_version_range": "< 5.3.2-0.20251028000919-d3ed703dc833"
114+
}
115+
}
116+
],
117+
"references": [
118+
{
119+
"type": "ADVISORY",
120+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13324"
121+
},
122+
{
123+
"type": "WEB",
124+
"url": "https://github.com/mattermost/mattermost/commit/364c2203de00fe0d8424b6b46d6f0eeb02a2539a"
125+
},
126+
{
127+
"type": "WEB",
128+
"url": "https://github.com/mattermost/mattermost/commit/7ccb62db7958abd6a4b21a06c5a4f5367a8f8b1f"
129+
},
130+
{
131+
"type": "WEB",
132+
"url": "https://github.com/mattermost/mattermost/commit/9f54e5cdc3aef412945ff0e6a58338f7b549bdda"
133+
},
134+
{
135+
"type": "PACKAGE",
136+
"url": "https://github.com/mattermost/mattermost"
137+
},
138+
{
139+
"type": "WEB",
140+
"url": "https://mattermost.com/security-updates"
141+
}
142+
],
143+
"database_specific": {
144+
"cwe_ids": [
145+
"CWE-863"
146+
],
147+
"severity": "MODERATE",
148+
"github_reviewed": true,
149+
"github_reviewed_at": "2025-12-20T17:27:10Z",
150+
"nvd_published_at": "2025-12-17T19:16:01Z"
151+
}
152+
}

advisories/unreviewed/2025/12/GHSA-x3r8-2hmh-89f5/GHSA-x3r8-2hmh-89f5.json

Lines changed: 0 additions & 36 deletions
This file was deleted.

0 commit comments

Comments
 (0)