CVE-2025-53857 - Vulnerability Details - OpenCVE

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mattermost	Mattermost

No data.

No data.

References

Link	Providers
https://mattermost.com/security-updates

History

Tue, 12 Aug 2025 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost
Vendors & Products		Mattermost Mattermost mattermost

Mon, 11 Aug 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 Aug 2025 19:15:00 +0000

Type	Values Removed	Values Added
Description		Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint.
Title		Lack of Authorization on Get Channel Subscriptions for Autocomplete in Mattermost Confluence Plugin
Weaknesses		CWE-862
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2025-08-11T18:57:02.377Z

Updated: 2025-08-11T19:37:14.499Z

Reserved: 2025-07-28T14:26:12.459Z

Link: CVE-2025-53857

Vulnrichment

Updated: 2025-08-11T19:37:08.562Z

NVD

Status : Received

Published: 2025-08-11T19:15:29.603

Modified: 2025-08-11T19:15:29.603

Link: CVE-2025-53857

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53857", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2025-07-28T14:26:12.459Z", "datePublished": "2025-08-11T18:57:02.377Z", "dateUpdated": "2025-08-11T19:37:14.499Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost Confluence Plugin", "vendor": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThan": "1.5.0"}, {"version": "1.5.0", "status": "unaffected"}], "repo": "https://github.com/mattermost/mattermost-plugin-confluence/"}], "credits": [{"lang": "en", "type": "finder", "value": "Lorenzo Gallegos"}], "descriptions": [{"lang": "en", "value": "Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint."}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "LOW", "baseScore": 3.7}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862: Missing Authorization", "cweId": "CWE-862"}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"value": "Update Mattermost Confluence Plugin to version 1.5.0 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2025-00487", "defect": ["https://mattermost.atlassian.net/browse/MM-64170"], "discovery": "{\"self\"=>\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=>\"Internal\", \"id\"=>\"10557\"}"}, "title": "Lack of Authorization on Get Channel Subscriptions for Autocomplete in Mattermost Confluence Plugin", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-08-11T18:57:02.377Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-11T19:37:03.066039Z", "id": "CVE-2025-53857", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T19:37:14.499Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-11T19:37:03.066039Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T19:37:08.562Z"}}], "cna": {"title": "Lack of Authorization on Get Channel Subscriptions for Autocomplete in Mattermost Confluence Plugin", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-64170"], "advisory": "MMSA-2025-00487", "discovery": "{\"self\"=>\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=>\"Internal\", \"id\"=>\"10557\"}"}, "credits": [{"lang": "en", "type": "finder", "value": "Lorenzo Gallegos"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/mattermost/mattermost-plugin-confluence/", "vendor": "Mattermost", "product": "Mattermost Confluence Plugin", "versions": [{"status": "affected", "version": "0", "lessThan": "1.5.0", "versionType": "semver"}, {"status": "unaffected", "version": "1.5.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Confluence Plugin to version 1.5.0 or higher."}], "references": [{"url": "https://mattermost.com/security-updates"}], "descriptions": [{"lang": "en", "value": "Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-08-11T18:57:02.377Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53857", "state": "PUBLISHED", "dateUpdated": "2025-08-11T19:37:14.499Z", "dateReserved": "2025-07-28T14:26:12.459Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2025-08-11T18:57:02.377Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.1"}