Miggo Logo
Miggo Vulnerability Database
CVE-2025-1472

CVE-2025-1472:
Mattermost Fails to Properly Perform Viewer Role Authorization

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-1472
GHSA ID
GHSA-fqrq-xmxj-v47x
EPSS Score
0.08332%
CWE
CWE-863
Published
3/19/2025
Updated
3/19/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/mattermost/mattermost/server/v8go
github.com/mattermost/mattermost-servergo

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on improper authorization checks for reporting features. Mattermost's analytics endpoints would logically be handled in API handlers (api4 package) calling core analytics logic (app package). The pattern matches Go project structure where api4 handles HTTP layer and app handles business logic. High confidence comes from: 1) The vulnerability manifests in statistics access 2) Authorization must be checked at both API and app layers 3) 'Viewer role with No Access to Reporting' implies missing check between role assignment and permission flags during statistics retrieval.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions *.**.x <= *.**.* **il to prop*rly p*r*orm *ut*oriz*tion o* t** Vi*w*r rol* w*i** *llows *n *tt**k*r wit* t** Vi*w*r rol* *on*i*ur** wit* No ****ss to R*portin* to still vi*w t**m *n* sit* st*tisti*s.

Reasoning

T** vuln*r**ility **nt*rs on improp*r *ut*oriz*tion ****ks *or r*portin* ***tur*s. M*tt*rmost's *n*lyti*s *n*points woul* lo*i**lly ** **n*l** in *PI **n*l*rs (*pi* p**k***) **llin* *or* *n*lyti*s lo*i* (*pp p**k***). T** p*tt*rn m*t***s *o proj**t s