Dismissed
Permalink
CVE-2026-0998
4.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): LOW
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
6 packages
- mattermost
- mattermostLatest
- mattermost-desktop
- python312Packages.mattermostdriver
- python313Packages.mattermostdriver
- python314Packages.mattermostdriver
- @LeSuisse dismissed
Mattermost Zoom Plugin allows unauthorized meeting creation and post modification via insufficient API access controls
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534
References
- MMSA-2025-00534 vendor-advisory
- MMSA-2025-00534 vendor-advisory
Affected products
Mattermost
- =<10.11.9
- ==11.3.0
- ==11.1.3
- =<11.1.2
- ==11.2.2
- =<11.2.1
- ==10.11.10