Security
Headlines

Headlines Latest CVEs

Headline

GHSA-ff85-qw3h-g9vp: Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.

2 months ago

#git #oauth #auth

GitHub Advisory Database
GitHub Reviewed
CVE-2025-55073

Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL

Moderate severity GitHub Reviewed Published Nov 14, 2025 to the GitHub Advisory Database • Updated Nov 17, 2025

Package

gomod github.com/mattermost/mattermost-server (Go)

Affected versions

>= 10.11.0, < 10.11.4

>= 10.5.0, < 10.5.12

>= 10.12.0, < 10.12.1

Patched versions

10.11.4

10.5.12

10.12.1

gomod github.com/mattermost/mattermost/server/v8 (Go)

< 8.0.0-20250929212932-a41db04d2746

8.0.0-20250929212932-a41db04d2746

Description

Published to the GitHub Advisory Database

Nov 14, 2025

Last updated

Nov 17, 2025

ghsa: Latest News

GHSA-54wq-72mp-cq7c: Mailpit has an SMTP Header Injection via Regex Bypass

20 minutes ago

GHSA-4gpc-rhpj-9443: Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)

20 minutes ago

GHSA-39h3-g67r-7g3c: ImageMagick releases an invalid pointer in BilateralBlur when memory allocation fails

49 minutes ago

GHSA-2657-3c98-63jq: esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages

53 minutes ago

GHSA-j7xp-4mg9-x28r: Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion

1 hour ago