Nixpkgs security tracker
NIXPKGS-2026-0264
GitHub issue
published 4 months ago
Permalink
CVE-2025-13821
5.7 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): None (N)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
4 packages
- mattermost-desktop
- python312Packages.mattermostdriver
- python313Packages.mattermostdriver
- python314Packages.mattermostdriver
-
@LeSuisse
deleted
maintainer.delete
5 maintainers
- @fsagbuya
- @Kranzes
- @numinit
- @mgdelacroix
- @ryantm
- @LeSuisse accepted
- @LeSuisse published on GitHub
User profile update exposes password hash and MFA secrets
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560
References
-
MMSA-2025-00560 vendor-advisory
Affected products
Mattermost
- ==10.11.10
- ==11.3.0
- =<11.1.2
- ==11.1.3
- =<10.11.9
- =<11.2.1
- ==11.2.2
Matching in nixpkgs
pkgs.mattermost
Open source platform for secure collaboration across the entire software development lifecycle
pkgs.mattermostLatest
Open source platform for secure collaboration across the entire software development lifecycle
Ignored packages (4)
pkgs.mattermost-desktop
Mattermost Desktop client
pkgs.python312Packages.mattermostdriver
None
pkgs.python313Packages.mattermostdriver
Python Mattermost Driver
pkgs.python314Packages.mattermostdriver
Python Mattermost Driver
Package maintainers
Ignored maintainers (3)
-
@ryantm Ryan Mulligan <ryan@ryantm.com>
-
@numinit Morgan Jones <me+nixpkgs@numin.it>
-
@mgdelacroix Miguel de la Cruz <mgdelacroix@gmail.com>