CVE-2025-2571

Medium

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when…

Mattermost·CWE-303·Published 2025-05-30

CVSS

4.2

EPSS

0.00

KEV

Exploits

cve.orgen

274 chars

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

NVDen

274 chars

GHSAen

274 chars

NVDes

334 chars

Las versiones de Mattermost 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 no borran las credenciales de Google OAuth al convertir cuentas de usuario en cuentas de bot, lo que permite a los atacantes obtener acceso no autorizado a las cuentas de bot a través del flujo de registro de Google OAuth.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	4.2	—	—	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
3.1	Secondary	NVD	4.2	1.6	2.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
3.1	Secondary	GHSA	4.2	—	—	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N