{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12419", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2025-10-28T16:09:58.730Z", "datePublished": "2025-11-27T15:55:44.815Z", "dateUpdated": "2025-11-27T17:18:07.520Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "10.12.1", "status": "affected", "version": "10.12.0", "versionType": "semver"}, {"lessThanOrEqual": "10.11.4", "status": "affected", "version": "10.11.0", "versionType": "semver"}, {"lessThanOrEqual": "10.5.12", "status": "affected", "version": "10.5.0", "versionType": "semver"}, {"lessThanOrEqual": "11.0.3", "status": "affected", "version": "11.0.0", "versionType": "semver"}, {"version": "11.1.0", "status": "unaffected"}, {"version": "10.12.2", "status": "unaffected"}, {"version": "10.11.5", "status": "unaffected"}, {"version": "10.5.13", "status": "unaffected"}, {"version": "11.0.4", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daw10"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost."}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseSeverity": "CRITICAL", "baseScore": 9.9}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm", "cweId": "CWE-303"}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"value": "Update Mattermost to versions 11.1.0, 10.12.2, 10.11.5, 10.5.13, 11.0.4 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2025-00547", "defect": ["https://mattermost.atlassian.net/browse/MM-66371"], "discovery": "EXTERNAL"}, "title": "Account takeover on OAuth/OpenID-enabled servers", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-11-27T17:18:07.520Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation or admin privileges to take over any user account via manipulation of authentication data during the OAuth completion flow"}], "id": "CVE-2025-12419", "lastModified": "2025-11-27T16:15:46.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2025-11-27T16:15:46.957", "references": [{"source": "responsibledisclosure@mattermost.com", "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-303"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{}