CVE-2025-24920: 
vulnerability analysis and mitigation

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, and 10.5.x <= 10.5.0 contain a vulnerability related to bookmark management in archived channels. The issue was disclosed on March 21, 2025, and is tracked as CVE-2025-24920. This vulnerability affects multiple versions of the Mattermost server software, allowing authenticated users to create or update bookmarks in archived channels when such actions should be restricted (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue is classified as CWE-863 (Incorrect Authorization), indicating a flaw in the authorization mechanism for bookmark management in archived channels (NVD).

The vulnerability allows authenticated users to perform unauthorized bookmark operations in archived channels, potentially compromising the integrity of the channel archival system. While the impact is limited to bookmark manipulation, it represents a breach of the expected security controls for archived content (NVD).

Users are advised to upgrade to the following fixed versions: 10.3.4 or later for the 10.3.x series, 10.4.3 or later for the 10.4.x series, 10.5.1 or later for the 10.5.x series, and 9.11.9 or later for the 9.11.x series (NVD, Mattermost Security).