{"id":"GHSA-fpff-wj6m-grvr","summary":"Mattermost Fails to Check User Access to `ExperimentalSettings`","details":"Mattermost versions 10.5.x \u003c= 10.5.2, 9.11.x \u003c= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console.","aliases":["CVE-2025-2570","GO-2025-3694"],"modified":"2025-05-23T16:13:29.231305Z","published":"2025-05-15T18:31:46Z","database_specific":{"severity":"LOW","github_reviewed_at":"2025-05-17T15:04:07Z","github_reviewed":true,"nvd_published_at":"2025-05-15T16:15:33Z","cwe_ids":["CWE-863"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-2570"},{"type":"PACKAGE","url":"https://github.com/mattermost/mattermost"},{"type":"WEB","url":"https://mattermost.com/security-updates"}],"affected":[{"package":{"name":"github.com/mattermost/mattermost/server/v8","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8"},"ranges":[{"type":"SEMVER","events":[{"introduced":"10.5.0"},{"fixed":"10.5.3"}]}],"database_specific":{"last_known_affected_version_range":"\u003c= 10.5.2","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-fpff-wj6m-grvr/GHSA-fpff-wj6m-grvr.json"}},{"package":{"name":"github.com/mattermost/mattermost/server/v8","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8"},"ranges":[{"type":"SEMVER","events":[{"introduced":"9.11.0"},{"fixed":"9.11.12"}]}],"database_specific":{"last_known_affected_version_range":"\u003c= 9.11.11","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-fpff-wj6m-grvr/GHSA-fpff-wj6m-grvr.json"}},{"package":{"name":"github.com/mattermost/mattermost/server/v8","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"8.0.0-20250411064244-844447fbd57c"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-fpff-wj6m-grvr/GHSA-fpff-wj6m-grvr.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"}]}