CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45833 – Mobile password gets saved in dictionary under conditions
https://notcve.org/view.php?id=CVE-2024-45833
16 Sep 2024 — Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.. Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dict... • https://mattermost.com/security-updates • CWE-693: Protection Mechanism Failure •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39613 – RCE in desktop app in Windows by local attacker
https://notcve.org/view.php?id=CVE-2024-39613
16 Sep 2024 — Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine. Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on ... • https://mattermost.com/security-updates • CWE-427: Uncontrolled Search Path Element •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43105 – Excessive Resource Consumption via `/export`
https://notcve.org/view.php?id=CVE-2024-43105
23 Aug 2024 — Mattermost Plugin Channel Export versions <=1.0.0 fail to restrict concurrent runs of the /export command which allows a user to consume excessive resource by running the /export command multiple times at once. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39767 – Spoofed push notifications from malicious server
https://notcve.org/view.php?id=CVE-2024-39767
15 Jul 2024 — Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server’s diagnostic ID or server URL and have them show up in mobile apps as that server’s push notifications. Las versiones de Mattermost Mobile Apps <= 2.16.0 no pueden validar que las notificaciones automáticas recibidas para un servidor en realidad provienen de este servicio, lo que permit... • https://mattermost.com/security-updates • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32945 – LaTeX post content manipulation via renderer state leak across contexts
https://notcve.org/view.php?id=CVE-2024-32945
15 Jul 2024 — Mattermost Mobile Apps versions <=2.16.0 fail to protect against abuse of a globally shared MathJax state which allows an attacker to change the contents of a LateX post, by creating another post with specific macro definitions. Las versiones de Mattermost Mobile Apps <= 2.16.0 no protegen contra el abuso de un estado MathJax compartido globalmente que permite a un atacante cambiar el contenido de una publicación de LateX mediante la creación de otra publicación con definiciones de macro específicas. Mat... • https://mattermost.com/security-updates • CWE-909: Missing Initialization of Resource •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37182 – Lack of permissions prompting when opening external URLs
https://notcve.org/view.php?id=CVE-2024-37182
14 Jun 2024 — Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes. Las versiones de la aplicación de escritorio Mattermost <= 5.7.0 no solicitan permiso correctamente al abrir URL externas, lo que permite a un atacante remoto obligar a una víctima a través de Internet a ejecutar programas arbitrarios en el sistema de la víctima... • https://mattermost.com/security-updates • CWE-693: Protection Mechanism Failure •
CVSS: 3.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36287 – Bypass of TCC restrictions on macOS
https://notcve.org/view.php?id=CVE-2024-36287
14 Jun 2024 — Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS. Las versiones de la aplicación de escritorio Mattermost <= 5.7.0 no deshabilitan ciertos indicadores de depuración de Electron, lo que permite eludir las restricciones de TCC en macOS. Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS. • https://mattermost.com/security-updates • CWE-693: Protection Mechanism Failure •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3872
https://notcve.org/view.php?id=CVE-2024-3872
16 Apr 2024 — Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link. Las versiones 2.13.0 y anteriores de la aplicación Mattermost Mobile utilizan una expresión regular con complejidad polinómica para analizar ciertos enlaces profundos, lo que permite a un atacante remoto no autenticado congelar o bloquear la aplicación a través de un en... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1888 – Existing server guests invited to the team by members without "invite_guest" permission
https://notcve.org/view.php?id=CVE-2024-1888
29 Feb 2024 — Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server Mattermost no verifica el permiso "invite_guest" cuando invita a invitados de otros equipos a un equipo, lo que permite que un miembro con permisos agregue a otros miembros pero no agregue invitados para agregar un invitado a un equipo... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-24988 – Excessive resource consumption when sending long emoji names in user custom status
https://notcve.org/view.php?id=CVE-2024-24988
29 Feb 2024 — Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server. Mattermost no logra validar adecuadamente la longitud del valor emoji en el estado de usuario personalizado, lo que permite a un atacante enviar varias veces una cadena muy larga como valor emoji, lo que provoca un alto consumo de recursos y posiblemente fallar el ser... • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •