Headline

GHSA-f72g-52v7-mg3p: Mattermost boards plugin fails to restrict download access to files

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

30 days ago

ghsa

Open in Source

#git #perl #auth

GitHub Advisory Database
GitHub Reviewed
CVE-2025-9081

Mattermost boards plugin fails to restrict download access to files

Low severity GitHub Reviewed Published Sep 19, 2025 to the GitHub Advisory Database • Updated Sep 22, 2025

Package

gomod github.com/mattermost/mattermost-plugin-boards (Go)

Affected versions

< 0.0.0-20250716054606-3f3e3becfe1d

Patched versions

0.0.0-20250716054606-3f3e3becfe1d

gomod github.com/mattermost/mattermost-server (Go)

>= 10.5.0-rc1, < 10.5.9

>= 9.11.0-rc1, < 9.11.18

gomod github.com/mattermost/mattermost/server/v8 (Go)

< 8.0.0-20250721095935-11c36f4d1e44

8.0.0-20250721095935-11c36f4d1e44

Description

Published to the GitHub Advisory Database

Sep 19, 2025

Last updated

Sep 22, 2025

ghsa: Latest News

GHSA-xvp7-8vm8-xfxx: Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers

2 hours ago

ghsa

GHSA-r8c2-2qwq-94p6: rollbar vulnerable to prototype pollution

5 hours ago

ghsa

GHSA-g955-vw6w-v6pp: Citizen vulnerable to stored XSS in sticky header button messages

5 hours ago

ghsa

GHSA-gjp8-99fv-cgcw: Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system

2 days ago

ghsa

GHSA-gr6v-3pmp-996p: Cargo Mediawiki Extension vulnerable to Cross-site Scripting

2 days ago

ghsa