Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4578-6gjh-f2jm: Mattermost allows an unauthorized Guest user access to Playbook

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.

ghsa
#git#perl#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-3228

Mattermost allows an unauthorized Guest user access to Playbook

Moderate severity GitHub Reviewed Published Jun 20, 2025 to the GitHub Advisory Database • Updated Jun 20, 2025

Package

gomod github.com/mattermost/mattermost-server (Go)

Affected versions

< 0.0.0-20250520060012-d0380305ef7a

Patched versions

0.0.0-20250520060012-d0380305ef7a

gomod github.com/mattermost/mattermost/server/v8 (Go)

< 8.0.0-20250520060012-d0380305ef7a

>= 10.5.0, <= 10.5.5

>= 9.11.0, <= 9.11.15

= 10.8.0

>= 10.7.0, <= 10.7.2

>= 10.6.0, <= 10.6.5

8.0.0-20250520060012-d0380305ef7a

10.5.6

9.11.16

10.8.1

10.7.3

10.6.6

Published to the GitHub Advisory Database

Jun 20, 2025

Last updated

Jun 20, 2025

ghsa: Latest News

GHSA-6qhv-4h7r-2g9m: rfc3161-client has insufficient verification for timestamp response signatures