CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39772 – Silent Desktop Screenshot Capture
https://notcve.org/view.php?id=CVE-2024-39772
16 Sep 2024 — Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45833 – Mobile password gets saved in dictionary under conditions
https://notcve.org/view.php?id=CVE-2024-45833
16 Sep 2024 — Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.. Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dict... • https://mattermost.com/security-updates • CWE-693: Protection Mechanism Failure •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39613 – RCE in desktop app in Windows by local attacker
https://notcve.org/view.php?id=CVE-2024-39613
16 Sep 2024 — Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine. Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on ... • https://mattermost.com/security-updates • CWE-427: Uncontrolled Search Path Element •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43105 – Excessive Resource Consumption via `/export`
https://notcve.org/view.php?id=CVE-2024-43105
23 Aug 2024 — Mattermost Plugin Channel Export versions <=1.0.0 fail to restrict concurrent runs of the /export command which allows a user to consume excessive resource by running the /export command multiple times at once. • https://mattermost.com/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39767 – Spoofed push notifications from malicious server
https://notcve.org/view.php?id=CVE-2024-39767
15 Jul 2024 — Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server’s diagnostic ID or server URL and have them show up in mobile apps as that server’s push notifications. Las versiones de Mattermost Mobile Apps <= 2.16.0 no pueden validar que las notificaciones automáticas recibidas para un servidor en realidad provienen de este servicio, lo que permit... • https://mattermost.com/security-updates • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32945 – LaTeX post content manipulation via renderer state leak across contexts
https://notcve.org/view.php?id=CVE-2024-32945
15 Jul 2024 — Mattermost Mobile Apps versions <=2.16.0 fail to protect against abuse of a globally shared MathJax state which allows an attacker to change the contents of a LateX post, by creating another post with specific macro definitions. Las versiones de Mattermost Mobile Apps <= 2.16.0 no protegen contra el abuso de un estado MathJax compartido globalmente que permite a un atacante cambiar el contenido de una publicación de LateX mediante la creación de otra publicación con definiciones de macro específicas. Mat... • https://mattermost.com/security-updates • CWE-909: Missing Initialization of Resource •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37182 – Lack of permissions prompting when opening external URLs
https://notcve.org/view.php?id=CVE-2024-37182
14 Jun 2024 — Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes. Las versiones de la aplicación de escritorio Mattermost <= 5.7.0 no solicitan permiso correctamente al abrir URL externas, lo que permite a un atacante remoto obligar a una víctima a través de Internet a ejecutar programas arbitrarios en el sistema de la víctima... • https://mattermost.com/security-updates • CWE-693: Protection Mechanism Failure •
CVSS: 3.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36287 – Bypass of TCC restrictions on macOS
https://notcve.org/view.php?id=CVE-2024-36287
14 Jun 2024 — Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS. Las versiones de la aplicación de escritorio Mattermost <= 5.7.0 no deshabilitan ciertos indicadores de depuración de Electron, lo que permite eludir las restricciones de TCC en macOS. Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS. • https://mattermost.com/security-updates • CWE-693: Protection Mechanism Failure •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-29215 – Slash commands run in channel without channel membership via playbook task commands
https://notcve.org/view.php?id=CVE-2024-29215
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access control which allows a user to run a slash command in a channel they are not a member of via linking a playbook run to that channel and running a slash command as a playbook task command. Las versiones de Mattermost 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 no aplican el control de acceso adecuado que permite a un usuario ejecutar un comando de barra diagonal en... • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36255 – Post actions can run playbook checklist task commands
https://notcve.org/view.php?id=CVE-2024-36255
26 May 2024 — Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly runs a slash command in some arbitrary channel. Las versiones de Mattermost 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 y 8.1.x <= 8.1.12 no realizan una validación de entrada adecuada en las acciones posteriores, lo que permite a un atacan... • https://mattermost.com/security-updates • CWE-352: Cross-Site Request Forgery (CSRF) •