The version of Mattermost Server installed on the remote host is prior to 9.11.13, 10.5.4, 10.6.3, or 10.7.0. It is, therefore, affected by multiple vulnerabilities as referenced in the MMSA-2025-00458, MMSA-2025-00463, MMSA-2025-00467 advisories. Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow. (CVE-2025-2571) Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens. (CVE-2025-3230) Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. (CVE-2025-3913) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. File data…Read More