CVE-2025-24920 MEDIUM

CVE-2025-24920: Unauthorized Bookmark Creation and Modification in Archived Channels

Vendor Mattermost

Product Mattermost

Weakness CWE-863 · Incorrect authorization

Published March 21, 2025

Last update March 21, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels

Key dates

02Disclosure timeline

March 21, 2025 CVE published

March 21, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-24920 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2025-24920

CWE CWE-863

CVSS 4.3 / MEDIUM

Affected versions

Vendor Mattermost

Product Mattermost

Affected ≥ 10.4.0 and ≤ 10.4.2

Vendor Mattermost

Product Mattermost

Affected ≥ 10.3.0 and ≤ 10.3.3

Vendor Mattermost

Product Mattermost

Affected ≥ 9.11.0 and ≤ 9.11.8

Vendor Mattermost

Product Mattermost

Affected 10.5.0

CVE-2025-24920: Unauthorized Bookmark Creation and Modification in Archived Channels

01Description

02Disclosure timeline

03References

04Related CVE