Primary

Context

Mattermost Path Traversal Vulnerability Allowing Thumbnail Overwrite in File Streaming APIs

Vulnerability

Patched

A path traversal vulnerability has been identified in Mattermost versions 10.8.x prior to 10.8.3, 10.5.x prior to 10.5.8, 10.10.x prior to 10.10.0, and 10.9.x prior to 10.9.3. This vulnerability arises because the application fails to properly sanitize file names, enabling users with file upload permissions to overwrite file attachment thumbnails. The issue can be exploited through file streaming APIs by manipulating file paths.

Impact

Exploitation of this vulnerability allows for unauthorized overwriting of file attachment thumbnails, potentially leading to confusion or misrepresentation of file contents.

Remediation

Users can upgrade to Mattermost versions 10.11.0, 10.5.10, or 10.9.5 to address this vulnerability.

Added: Aug 21, 2025, 5:22 PM

Updated: Aug 21, 2025, 5:22 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Path Traversal Vulnerability Allowing Thumbnail Overwrite in File Streaming APIs

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating