CVE-2025-24920:The CVE-2025-24920 is a medium severity vulnerability that affects Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0. This vulnerability allows authenticated users to create or update bookmarks in archived channels due to a failure in restricting bookmark creation and updates.

splash
Back

Description Preview

The vulnerability, CVE-2025-24920, is an Incorrect Authorization issue (CWE-863) that affects certain versions of Mattermost. Specifically, versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, and 10.5.x <= 10.5.0 are affected. The vulnerability allows authenticated users to create or update bookmarks in archived channels, which should not be allowed. This issue arises due to a failure in the system to restrict bookmark creation and updates in these channels. The vulnerability has a CVSS base score of 4.3, indicating a medium severity level. The vulnerability was discovered externally and was credited to Caleb Roseland.

Overview

The vulnerability was first published on 2025-03-21 and was last updated on the same day. The vulnerability affects Mattermost, a platform for team collaboration and messaging. The vulnerability arises due to incorrect authorization, which allows authenticated users to create or update bookmarks in archived channels. The affected versions are 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, and 10.5.x <= 10.5.0. The vulnerability has a CVSS base score of 4.3, indicating a medium severity level.

Remediation

The recommended solution to this vulnerability is to update Mattermost to versions 10.6.0, 10.4.3, 10.3.4, 9.11.9, 10.5.1 or higher. These versions are not affected by the vulnerability and will provide users with the necessary security updates.

References

For more information about this vulnerability, you can refer to the following resources:

  1. Mattermost Security Updates
  2. Mattermost Defect Report

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Accommodation & Food Services
    Accommodation & Food Services
  3. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  4. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  5. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  6. Construction
    Construction
  7. Educational Services
    Educational Services
  8. Finance and Insurance
    Finance and Insurance
  9. Health Care & Social Assistance
    Health Care & Social Assistance
  10. Information
    Information
  11. Management of Companies & Enterprises
    Management of Companies & Enterprises
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background