CVE-2025-49222

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-49222
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.

6.8 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://mattermost.com/security-updates
Configurations

No configuration.

History

22 Aug 2025, 18:09

Type Values Removed Values Added
Summary
  • (es) Las versiones de Mattermost 10.8.x &lt;= 10.8.3, 10.5.x &lt;= 10.5.8, 9.11.x &lt;= 9.11.17, 10.9.x &lt;= 10.9.2, 10.10.x &lt;= 10.10.0 no pueden validar los tipos de carga en sesiones de carga de clúster remoto, lo que permite que un administrador del sistema cargue tipos de archivos no adjuntos a través de canales compartidos que potencialmente podrían ubicarse en directorios arbitrarios del sistema de archivos.

21 Aug 2025, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-21 08:15

Updated : 2025-08-22 18:09

NVD link : CVE-2025-49222

Mitre link : CVE-2025-49222

CVE.ORG link : CVE-2025-49222

JSON object : View

Products Affected

No product.

CWE
CWE-434

Unrestricted Upload of File with Dangerous Type