Detections
Analytics
Mattermost Server 10.5.x < 10.5.11 / 10.10.x < 10.10.3 / 10.11.x 10.11.2 / 10.12.0 Multiple Vulnerabilities (MMSA-2025-00507, MMSA-2025-00508)
high Nessus Plugin ID 271810
Language:
Synopsis
The remote host is missing a security update.Description
The version of Mattermost Server installed on the remote host is affected by multiple vulnerabilities as referenced in the MMSA-2025-00507, MMSA-2025-00508 advisories.- Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.3, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state. (CVE-2025-58073)
- Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.3, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState. (CVE-2025-58075)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Mattermost Server version 10.5.11, 10.10.3, 10.11.2, 10.12.0 or later.See Also
Plugin Details
Severity: High
ID: 271810
File Name: mattermost_server_MMSA-2025-00507_MMSA-2025-00508.nasl
Version: 1.1
Type: remote
Family: CGI abuses
Published: 10/28/2025
Updated: 10/28/2025
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.0
CVSS v2
Risk Factor: High
Base Score: 8.5
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N
CVSS Score Source: CVE-2025-58075
CVSS v3
Risk Factor: High
Base Score: 8.1
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Information
CPE: cpe:/a:mattermost:mattermost_server
Required KB Items: installed_sw/Mattermost Server
Patch Publication Date: 10/16/2025
Vulnerability Publication Date: 10/16/2025
Reference Information
CVE: CVE-2025-58073, CVE-2025-58075
IAVA: 2025-A-0779