CVE-2025-27538

LOW Year: 2025
CVSS v3 Score
2.2
Low
Weakness Type
CWE-306
View all →

Vulnerability Description

Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.

Related Vulnerabilities

CVE-2019-20559

LOW
CVSS:2.4(Low)

An issue was discovered on Samsung mobile devices with P(9.0) software. Gallery allows viewing of photos on the lock screen. The Samsung ID is SVE-2019-15055 (October 2019).

CWE-3062019

CVE-2019-20579

LOW
CVSS:2.4(Low)

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. Gallery allows attackers to enable Location information sharing from the lock screen. The Samsung ID is SVE-...

CWE-3062019

CVE-2019-20595

LOW
CVSS:2.4(Low)

An issue was discovered on Samsung mobile devices with P(9.0) software. Quick Panel allows enabling or disabling the Bluetooth stack without authentication. The Samsung ID is SVE-2019-14545 (July 2019...

CWE-3062019

CVE-2019-20598

LOW
CVSS:2.4(Low)

An issue was discovered on Samsung mobile devices with O(8.x) software. Bixby leaks the keyboard's learned words, and the clipboard contents, via the lock screen. The Samsung IDs are SVE-2018-12896, S...

CWE-3062019

CVE-2019-8682

LOW
CVSS:2.4(Low)

The issue was addressed with improved UI handling. This issue is fixed in iOS 12.4, watchOS 5.3. A user may inadvertently complete an in-app purchase while on the lock screen.

CWE-3062019

CVE-2020-25824

LOW
CVSS:2.4(Low)

Telegram Desktop through 2.4.3 does not require passcode entry upon pushing the Export key within the Export Telegram Data wizard. The threat model is a victim who has voluntarily opened Export Wizard...

CWE-3062020