Detections
Analytics
Mattermost Server 10.11.x < 10.11.8 / 10.12.x < 10.12.4 / 11.0.x <= 11.0.6 / 11.1.x <= 11.1.1 Improper Authentication (MMSA-2025-00555)
high Nessus Plugin ID 280123
Synopsis
The Mattermost Server installed on the remote host is affected by an improper authentication vulnerability.Description
The version of Mattermost Server installed on the remote host is 10.11.x prior to 10.11.8, 10.12.x prior to 10.12.4, 11.0.x prior to 11.0.6, or 11.1.x prior to 11.1.1, and is, therefore, affected by an improper authentication vulnerability:- Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555. (CVE-2025-14273)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Mattermost Server version 10.11.8, 10.12.4, 11.0.6, or 11.1.1 or later.See Also
Plugin Details
Severity: High
ID: 280123
File Name: mattermost_server_MMSA-2025-00555.nasl
Version: 1.1
Type: remote
Family: CGI abuses
Published: 12/29/2025
Updated: 12/29/2025
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.9
CVSS v2
Risk Factor: Medium
Base Score: 6.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P
CVSS Score Source: CVE-2025-14273
CVSS v3
Risk Factor: High
Base Score: 7.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Vulnerability Information
CPE: cpe:/a:mattermost:mattermost_server
Required KB Items: installed_sw/Mattermost Server
Patch Publication Date: 12/18/2025
Vulnerability Publication Date: 12/18/2025
Reference Information
CVE: CVE-2025-14273
IAVA: 2025-A-0893