CVE-2025-24490
Published: 24 February 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-24490 is a SQL injection vulnerability in Mattermost, affecting versions 10.4.x up to and including 10.4.1, 9.11.x up to and including 9.11.7, 10.3.x up to and including 10.3.2, and 10.2.x up to and including 10.2.2. The flaw stems from the failure to use prepared statements in the SQL query handling boards reordering, enabling attackers to inject malicious SQL payloads when reordering specially crafted boards categories. It has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and is associated with CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By reordering specially crafted boards categories, the attacker can execute arbitrary SQL queries to retrieve sensitive data from the database (high confidentiality impact) and modify data (high integrity impact), with the attack changing scope to potentially affect higher-privilege components.
For mitigation details, refer to the Mattermost security updates advisory at https://mattermost.com/security-updates.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in web app enables remote exploitation of public-facing application (T1190), privilege escalation via scope change to higher-priv components (T1068), data retrieval from databases (T1213.006), and stored data manipulation (T1565.001).