Search criteria
57 vulnerabilities found for mattermost_mobile by mattermost
FKIE_CVE-2025-30516
Vulnerability from fkie_nvd - Published: 2025-04-14 07:15 - Updated: 2025-09-24 14:57
Severity ?
2.0 (Low) - CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications
References
| URL | Tags | ||
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_mobile | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FCFF440F-7281-4970-926E-FE7C6388E3D2",
"versionEndExcluding": "2.26.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Mobile Apps versions \u003c=2.25.0\u00a0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications"
},
{
"lang": "es",
"value": "Las versiones 2.25.0 o anteriores de las aplicaciones m\u00f3viles de Mattermost no pueden finalizar las sesiones durante el cierre de sesi\u00f3n en determinadas condiciones (por ejemplo, mala conectividad), lo que permite que usuarios no autorizados en dispositivos compartidos accedan a contenido de notificaciones confidenciales a trav\u00e9s de notificaciones m\u00f3viles continuas."
}
],
"id": "CVE-2025-30516",
"lastModified": "2025-09-24T14:57:30.170",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 2.0,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-04-14T07:15:14.397",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-1558
Vulnerability from fkie_nvd - Published: 2025-03-24 15:15 - Updated: 2025-09-25 19:14
Severity ?
Summary
Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.
References
| URL | Tags | ||
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_mobile | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*",
"matchCriteriaId": "514C31F2-D40F-4163-B83A-47CEE257D8E2",
"versionEndExcluding": "2.25.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Mobile Apps versions \u003c=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF."
},
{
"lang": "es",
"value": "Las versiones \u0026lt;=2.25.0 de Mattermost Mobile Apps no validan correctamente las im\u00e1genes GIF antes de renderizarlas, lo que permite que un usuario malintencionado provoque el bloqueo de la aplicaci\u00f3n de Android a trav\u00e9s de un mensaje que contiene un GIF manipulado con fines malintencionados."
}
],
"id": "CVE-2025-1558",
"lastModified": "2025-09-25T19:14:35.460",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
}
]
},
"published": "2025-03-24T15:15:16.060",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1287"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-20630
Vulnerability from fkie_nvd - Published: 2025-01-16 19:15 - Updated: 2025-09-24 16:42
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.
References
| URL | Tags | ||
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_mobile | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0CB15D9-251D-4872-99D7-27AD709FBF25",
"versionEndExcluding": "2.23.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Mobile versions \u003c=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel."
},
{
"lang": "es",
"value": "Las versiones de Mattermost Mobile \u0026lt;=2.22.0 no gestionan adecuadamente las publicaciones con archivos adjuntos que contienen campos que no se pueden convertir a una cadena, lo que permite a un atacante provocar que el m\u00f3vil se bloquee al crear y enviar dicha publicaci\u00f3n a un canal."
}
],
"id": "CVE-2025-20630",
"lastModified": "2025-09-24T16:42:32.640",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-16T19:15:30.110",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1287"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-20072
Vulnerability from fkie_nvd - Published: 2025-01-16 18:15 - Updated: 2025-09-24 16:46
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.
References
| URL | Tags | ||
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_mobile | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0CB15D9-251D-4872-99D7-27AD709FBF25",
"versionEndExcluding": "2.23.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Mobile versions \u003c= 2.22.0 fail to properly validate the style of proto supplied to an action\u0027s style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input."
},
{
"lang": "es",
"value": " Las versiones de Mattermost Mobile \u0026lt;= 2.22.0 no pueden validar correctamente el estilo del proto suministrado al estilo de una acci\u00f3n en post.props.attachments, lo que permite a un atacante bloquear el m\u00f3vil a trav\u00e9s de una entrada maliciosa manipulada."
}
],
"id": "CVE-2025-20072",
"lastModified": "2025-09-24T16:46:59.433",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-16T18:15:28.517",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-704"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-0476
Vulnerability from fkie_nvd - Published: 2025-01-16 00:15 - Updated: 2025-09-24 16:47
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment
References
| URL | Tags | ||
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_mobile | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0CB15D9-251D-4872-99D7-27AD709FBF25",
"versionEndExcluding": "2.23.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment"
},
{
"lang": "es",
"value": " Las versiones de aplicaciones m\u00f3viles de Mattermost \u0026lt;=2.22.0 no pueden gestionar correctamente los nombres de archivos adjuntos especialmente manipulados, lo que permite que un atacante bloquee la aplicaci\u00f3n m\u00f3vil para cualquier usuario que haya abierto un canal que contenga el archivo adjunto especialmente manipulado."
}
],
"id": "CVE-2025-0476",
"lastModified": "2025-09-24T16:47:36.287",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-16T00:15:25.217",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1287"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-21083
Vulnerability from fkie_nvd - Published: 2025-01-15 17:15 - Updated: 2025-09-25 19:14
Severity ?
Summary
Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
References
| URL | Tags | ||
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_mobile | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0CB15D9-251D-4872-99D7-27AD709FBF25",
"versionEndExcluding": "2.23.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post."
},
{
"lang": "es",
"value": "Las versiones \u0026lt;=2.22.0 de las aplicaciones m\u00f3viles de Mattermost no logran validar correctamente las propiedades de las publicaciones, lo que permite que un usuario autenticado malintencionado provoque un bloqueo a trav\u00e9s de una publicaci\u00f3n maliciosa."
}
],
"id": "CVE-2025-21083",
"lastModified": "2025-09-25T19:14:15.380",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
}
]
},
"published": "2025-01-15T17:15:19.393",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1287"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-20036
Vulnerability from fkie_nvd - Published: 2025-01-15 17:15 - Updated: 2025-09-25 19:14
Severity ?
Summary
Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
References
| URL | Tags | ||
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_mobile | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0CB15D9-251D-4872-99D7-27AD709FBF25",
"versionEndExcluding": "2.23.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post."
},
{
"lang": "es",
"value": "Las versiones \u0026lt;=2.22.0 de las aplicaciones m\u00f3viles de Mattermost no logran validar correctamente las propiedades de las publicaciones, lo que permite que un usuario autenticado malintencionado provoque un bloqueo a trav\u00e9s de una publicaci\u00f3n maliciosa."
}
],
"id": "CVE-2025-20036",
"lastModified": "2025-09-25T19:14:06.943",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
}
]
},
"published": "2025-01-15T17:15:18.950",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1287"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-11358
Vulnerability from fkie_nvd - Published: 2024-12-16 17:15 - Updated: 2025-09-24 19:39
Severity ?
5.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.
References
| URL | Tags | ||
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_mobile | * | |
| android | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90C8C3BE-5502-4358-BF3D-A60925911BB0",
"versionEndExcluding": "2.22.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Android Mobile Apps versions \u003c=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider."
},
{
"lang": "es",
"value": "Las versiones \u0026lt;=2.21.0 de las aplicaciones m\u00f3viles de Mattermost para Android no configuran correctamente los proveedores de archivos, lo que permite que un atacante con acceso local acceda a los archivos a trav\u00e9s del proveedor de archivos."
}
],
"id": "CVE-2024-11358",
"lastModified": "2025-09-24T19:39:33.813",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.2,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-16T17:15:07.543",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-45833
Vulnerability from fkie_nvd - Published: 2024-09-16 07:15 - Updated: 2024-09-23 13:43
Severity ?
4.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..
References
| URL | Tags | ||
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_mobile | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C6284015-4B02-4ACD-A910-C8B6FAFE540E",
"versionEndExcluding": "2.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Mobile Apps versions \u003c=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u00a0password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.."
},
{
"lang": "es",
"value": "Las versiones \u0026lt;=2.18.0 de Mattermost Mobile Apps no pueden deshabilitar el autocompletado durante el inicio de sesi\u00f3n al escribir la contrase\u00f1a y se selecciona la contrase\u00f1a visible, lo que permite que la contrase\u00f1a se guarde en el diccionario cuando el usuario tiene Swiftkey como teclado predeterminado, el enmascaramiento est\u00e1 desactivado y la contrase\u00f1a contiene un car\u00e1cter especial."
}
],
"id": "CVE-2024-45833",
"lastModified": "2024-09-23T13:43:42.073",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-16T07:15:03.663",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-693"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-32945
Vulnerability from fkie_nvd - Published: 2024-07-15 09:15 - Updated: 2024-11-21 09:16
Severity ?
2.6 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Mattermost Mobile Apps versions <=2.16.0 fail to protect against abuse of a globally shared MathJax state which allows an attacker to change the contents of a LateX post, by creating another post with specific macro definitions.
References
| URL | Tags | ||
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_mobile | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2FC511A8-A955-4FF9-AC43-A84FFC4C3142",
"versionEndExcluding": "2.17.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Mobile Apps versions \u003c=2.16.0 fail to protect against abuse of a globally shared MathJax state\u00a0which allows an attacker to change the contents of a LateX post, by creating another post with specific macro definitions."
},
{
"lang": "es",
"value": "Las versiones de Mattermost Mobile Apps \u0026lt;= 2.16.0 no protegen contra el abuso de un estado MathJax compartido globalmente que permite a un atacante cambiar el contenido de una publicaci\u00f3n de LateX mediante la creaci\u00f3n de otra publicaci\u00f3n con definiciones de macro espec\u00edficas."
}
],
"id": "CVE-2024-32945",
"lastModified": "2024-11-21T09:16:05.340",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-15T09:15:02.260",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-909"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-909"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-39767
Vulnerability from fkie_nvd - Published: 2024-07-15 09:15 - Updated: 2024-11-21 09:28
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server’s diagnostic ID or server URL and have them show up in mobile apps as that server’s push notifications.
References
| URL | Tags | ||
|---|---|---|---|
| responsibledisclosure@mattermost.com | https://mattermost.com/security-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mattermost.com/security-updates | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mattermost | mattermost_mobile | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2FC511A8-A955-4FF9-AC43-A84FFC4C3142",
"versionEndExcluding": "2.17.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Mobile Apps versions \u003c=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server\u2019s diagnostic ID or server URL and have them show up in mobile apps as that server\u2019s push notifications."
},
{
"lang": "es",
"value": "Las versiones de Mattermost Mobile Apps \u0026lt;= 2.16.0 no pueden validar que las notificaciones autom\u00e1ticas recibidas para un servidor en realidad provienen de este servicio, lo que permite a un servidor malicioso enviar notificaciones autom\u00e1ticas con el ID de diagn\u00f3stico o la URL del servidor de otro servidor y hacer que aparezcan en el dispositivo m\u00f3vil aplicaciones como las notificaciones push de ese servidor."
}
],
"id": "CVE-2024-39767",
"lastModified": "2024-11-21T09:28:20.950",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-15T09:15:02.573",
"references": [
{
"source": "responsibledisclosure@mattermost.com",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "responsibledisclosure@mattermost.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-30516 (GCVE-0-2025-30516)
Vulnerability from cvelistv5 – Published: 2025-04-14 06:56 – Updated: 2025-04-14 14:01
VLAI?
Title
Unauthorized Notification Exposure in Mobile App Under Specific Conditions
Summary
Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications
Severity ?
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.25.0
(semver)
Unaffected: 2.26.0 |
Credits
Elias Nahum
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30516",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T13:59:13.520152Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:01:51.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.25.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.26.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Elias Nahum"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.25.0\u0026nbsp; fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications\u003c/p\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.25.0\u00a0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T06:56:22.327Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.26.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.26.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00415",
"defect": [
"https://mattermost.atlassian.net/browse/MM-61974"
],
"discovery": "INTERNAL"
},
"title": "Unauthorized Notification Exposure in Mobile App Under Specific Conditions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-30516",
"datePublished": "2025-04-14T06:56:22.327Z",
"dateReserved": "2025-04-08T07:50:19.632Z",
"dateUpdated": "2025-04-14T14:01:51.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1558 (GCVE-0-2025-1558)
Vulnerability from cvelistv5 – Published: 2025-03-24 15:01 – Updated: 2025-03-24 18:42
VLAI?
Title
Denial of Service Via Malicious GIF
Summary
Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.
Severity ?
6.5 (Medium)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.25.0
(semver)
Unaffected: 2.26.0 Unaffected: 2.25.1 |
Credits
defalt47
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1558",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T15:25:23.601581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T18:42:16.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.25.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.26.0"
},
{
"status": "unaffected",
"version": "2.25.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "defalt47"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.\u003c/p\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T15:01:52.463Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.26.0, 2.25.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.26.0, 2.25.1 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00417",
"defect": [
"https://mattermost.atlassian.net/browse/MM-62374"
],
"discovery": "EXTERNAL"
},
"title": "Denial of Service Via Malicious GIF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-1558",
"datePublished": "2025-03-24T15:01:52.463Z",
"dateReserved": "2025-02-21T15:44:40.158Z",
"dateUpdated": "2025-03-24T18:42:16.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20630 (GCVE-0-2025-20630)
Vulnerability from cvelistv5 – Published: 2025-01-16 18:18 – Updated: 2025-01-16 18:55
VLAI?
Title
Mobile crash via object that can't be cast to String in Attachment Field
Summary
Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.
Severity ?
6.5 (Medium)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ <=2.22.0
(semver)
Unaffected: 2.23.0 |
Credits
c0rydoras (c0rydoras)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20630",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T18:54:57.228284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T18:55:51.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "\u003c=2.22.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.23.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c0rydoras (c0rydoras)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost Mobile versions \u0026lt;=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel."
}
],
"value": "Mattermost Mobile versions \u003c=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T18:18:58.742Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile to version 2.23.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile to version 2.23.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00390",
"defect": [
"https://mattermost.atlassian.net/browse/MM-61161"
],
"discovery": "EXTERNAL"
},
"title": "Mobile crash via object that can\u0027t be cast to String in Attachment Field",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-20630",
"datePublished": "2025-01-16T18:18:58.742Z",
"dateReserved": "2025-01-16T18:10:41.938Z",
"dateUpdated": "2025-01-16T18:55:51.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20072 (GCVE-0-2025-20072)
Vulnerability from cvelistv5 – Published: 2025-01-16 17:51 – Updated: 2025-01-16 19:01
VLAI?
Title
Mobile crash via improper validation of proto style in attachments
Summary
Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.
Severity ?
6.5 (Medium)
CWE
- CWE-704 - Incorrect Type Conversion or Cast
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.22.0
(semver)
Unaffected: 2.23.0 |
Credits
c0rydoras
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20072",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T19:01:16.322892Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T19:01:25.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.22.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.23.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c0rydoras"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile versions \u0026lt;= 2.22.0 fail to properly validate the style of proto supplied to an action\u0027s style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Mattermost Mobile versions \u003c= 2.22.0 fail to properly validate the style of proto supplied to an action\u0027s style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-704",
"description": "CWE-704: Incorrect Type Conversion or Cast",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T17:51:38.173Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.3.0, 2.23.0, 10.2.1, 9.11.6, 10.0.4, 10.1.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.3.0, 2.23.0, 10.2.1, 9.11.6, 10.0.4, 10.1.4 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00402",
"defect": [
"https://mattermost.atlassian.net/browse/MM-61709"
],
"discovery": "EXTERNAL"
},
"title": "Mobile crash via improper validation of proto style in attachments",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-20072",
"datePublished": "2025-01-16T17:51:38.173Z",
"dateReserved": "2025-01-15T15:30:33.457Z",
"dateUpdated": "2025-01-16T19:01:25.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0476 (GCVE-0-2025-0476)
Vulnerability from cvelistv5 – Published: 2025-01-15 23:44 – Updated: 2025-01-16 14:22
VLAI?
Title
Mobile crash via file with specially crafted filename
Summary
Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment
Severity ?
4.3 (Medium)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.22.0
(semver)
Unaffected: 2.23.0 |
Credits
lsibilev
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0476",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T14:22:07.409471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T14:22:23.004Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.22.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.23.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lsibilev"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost Mobile Apps versions \u0026lt;=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T23:44:45.934Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.23.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00405",
"defect": [
"https://mattermost.atlassian.net/browse/MM-61752"
],
"discovery": "EXTERNAL"
},
"title": "Mobile crash via file with specially crafted filename",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-0476",
"datePublished": "2025-01-15T23:44:45.934Z",
"dateReserved": "2025-01-14T20:51:53.990Z",
"dateUpdated": "2025-01-16T14:22:23.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21083 (GCVE-0-2025-21083)
Vulnerability from cvelistv5 – Published: 2025-01-15 16:10 – Updated: 2025-01-15 16:48
VLAI?
Title
Insufficient Input Validation on Post Props
Summary
Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
Severity ?
6.5 (Medium)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.22.0
(semver)
Unaffected: 2.23.0 |
Credits
c0rydoras (c0rydoras)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-21083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T16:48:42.690406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T16:48:49.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.22.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.23.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c0rydoras (c0rydoras)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.\u003c/p\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T16:10:48.325Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.23.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00399",
"defect": [
"https://mattermost.atlassian.net/browse/MM-62531"
],
"discovery": "EXTERNAL"
},
"title": "Insufficient Input Validation on Post Props",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-21083",
"datePublished": "2025-01-15T16:10:48.325Z",
"dateReserved": "2025-01-14T00:19:35.062Z",
"dateUpdated": "2025-01-15T16:48:49.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20036 (GCVE-0-2025-20036)
Vulnerability from cvelistv5 – Published: 2025-01-15 16:10 – Updated: 2025-01-15 16:49
VLAI?
Title
Insufficient Input Validation on Post Props
Summary
Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
Severity ?
6.5 (Medium)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.22.0
(semver)
Unaffected: 2.23.0 |
Credits
c0rydoras (c0rydoras)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20036",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T16:49:00.458575Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T16:49:13.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.22.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.23.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c0rydoras (c0rydoras)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.\u003c/p\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T16:10:47.847Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.23.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00398",
"defect": [
"https://mattermost.atlassian.net/browse/MM-62529"
],
"discovery": "EXTERNAL"
},
"title": "Insufficient Input Validation on Post Props",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-20036",
"datePublished": "2025-01-15T16:10:47.847Z",
"dateReserved": "2025-01-14T00:19:35.045Z",
"dateUpdated": "2025-01-15T16:49:13.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11358 (GCVE-0-2024-11358)
Vulnerability from cvelistv5 – Published: 2024-12-16 16:20 – Updated: 2024-12-16 18:09
VLAI?
Title
Insecure Android File Provider Paths
Summary
Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.
Severity ?
5.7 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.21.0
(semver)
Unaffected: 2.22.0 |
Credits
BugSniper (bugsniper1081)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T18:09:43.340893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T18:09:54.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.21.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.22.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BugSniper (bugsniper1081)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Android Mobile Apps versions \u0026lt;=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.\u003c/p\u003e"
}
],
"value": "Mattermost Android Mobile Apps versions \u003c=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T16:20:27.908Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.22.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.22.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00384",
"defect": [
"https://mattermost.atlassian.net/browse/MM-60637"
],
"discovery": "EXTERNAL"
},
"title": "Insecure Android File Provider Paths",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-11358",
"datePublished": "2024-12-16T16:20:27.908Z",
"dateReserved": "2024-11-18T18:41:08.491Z",
"dateUpdated": "2024-12-16T18:09:54.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45833 (GCVE-0-2024-45833)
Vulnerability from cvelistv5 – Published: 2024-09-16 06:41 – Updated: 2024-09-16 13:04
VLAI?
Title
Mobile password gets saved in dictionary under conditions
Summary
Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..
Severity ?
4.5 (Medium)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.18.0
(semver)
Unaffected: 2.19.0 |
Credits
@lolcabanon
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45833",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T13:04:05.356788Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T13:04:55.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.18.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.19.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "@lolcabanon"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u0026nbsp;password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..\u003c/p\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u00a0password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T06:41:47.347Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.19.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.19.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00314",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56932"
],
"discovery": "EXTERNAL"
},
"title": "Mobile password gets saved in dictionary under conditions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-45833",
"datePublished": "2024-09-16T06:41:47.347Z",
"dateReserved": "2024-09-10T08:20:38.452Z",
"dateUpdated": "2024-09-16T13:04:55.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39767 (GCVE-0-2024-39767)
Vulnerability from cvelistv5 – Published: 2024-07-15 08:43 – Updated: 2024-08-02 04:26
VLAI?
Title
Spoofed push notifications from malicious server
Summary
Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server’s diagnostic ID or server URL and have them show up in mobile apps as that server’s push notifications.
Severity ?
4.2 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.16.0
(semver)
Unaffected: 2.17.0 |
Credits
Juho Forsén
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39767",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T20:01:15.987749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T20:01:48.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.16.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.17.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server\u2019s diagnostic ID or server URL and have them show up in mobile apps as that server\u2019s push notifications.\u0026nbsp;\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server\u2019s diagnostic ID or server URL and have them show up in mobile apps as that server\u2019s push notifications."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T08:43:10.236Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.17.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.17.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00310",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56722"
],
"discovery": "INTERNAL"
},
"title": "Spoofed push notifications from malicious server",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-39767",
"datePublished": "2024-07-15T08:43:10.236Z",
"dateReserved": "2024-07-11T14:48:59.897Z",
"dateUpdated": "2024-08-02T04:26:15.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30516 (GCVE-0-2025-30516)
Vulnerability from nvd – Published: 2025-04-14 06:56 – Updated: 2025-04-14 14:01
VLAI?
Title
Unauthorized Notification Exposure in Mobile App Under Specific Conditions
Summary
Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications
Severity ?
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.25.0
(semver)
Unaffected: 2.26.0 |
Credits
Elias Nahum
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30516",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T13:59:13.520152Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:01:51.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.25.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.26.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Elias Nahum"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.25.0\u0026nbsp; fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications\u003c/p\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.25.0\u00a0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T06:56:22.327Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.26.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.26.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00415",
"defect": [
"https://mattermost.atlassian.net/browse/MM-61974"
],
"discovery": "INTERNAL"
},
"title": "Unauthorized Notification Exposure in Mobile App Under Specific Conditions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-30516",
"datePublished": "2025-04-14T06:56:22.327Z",
"dateReserved": "2025-04-08T07:50:19.632Z",
"dateUpdated": "2025-04-14T14:01:51.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1558 (GCVE-0-2025-1558)
Vulnerability from nvd – Published: 2025-03-24 15:01 – Updated: 2025-03-24 18:42
VLAI?
Title
Denial of Service Via Malicious GIF
Summary
Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.
Severity ?
6.5 (Medium)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.25.0
(semver)
Unaffected: 2.26.0 Unaffected: 2.25.1 |
Credits
defalt47
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1558",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T15:25:23.601581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T18:42:16.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.25.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.26.0"
},
{
"status": "unaffected",
"version": "2.25.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "defalt47"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.\u003c/p\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T15:01:52.463Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.26.0, 2.25.1 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.26.0, 2.25.1 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00417",
"defect": [
"https://mattermost.atlassian.net/browse/MM-62374"
],
"discovery": "EXTERNAL"
},
"title": "Denial of Service Via Malicious GIF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-1558",
"datePublished": "2025-03-24T15:01:52.463Z",
"dateReserved": "2025-02-21T15:44:40.158Z",
"dateUpdated": "2025-03-24T18:42:16.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20630 (GCVE-0-2025-20630)
Vulnerability from nvd – Published: 2025-01-16 18:18 – Updated: 2025-01-16 18:55
VLAI?
Title
Mobile crash via object that can't be cast to String in Attachment Field
Summary
Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.
Severity ?
6.5 (Medium)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ <=2.22.0
(semver)
Unaffected: 2.23.0 |
Credits
c0rydoras (c0rydoras)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20630",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T18:54:57.228284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T18:55:51.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "\u003c=2.22.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.23.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c0rydoras (c0rydoras)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost Mobile versions \u0026lt;=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel."
}
],
"value": "Mattermost Mobile versions \u003c=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T18:18:58.742Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile to version 2.23.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile to version 2.23.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00390",
"defect": [
"https://mattermost.atlassian.net/browse/MM-61161"
],
"discovery": "EXTERNAL"
},
"title": "Mobile crash via object that can\u0027t be cast to String in Attachment Field",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-20630",
"datePublished": "2025-01-16T18:18:58.742Z",
"dateReserved": "2025-01-16T18:10:41.938Z",
"dateUpdated": "2025-01-16T18:55:51.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20072 (GCVE-0-2025-20072)
Vulnerability from nvd – Published: 2025-01-16 17:51 – Updated: 2025-01-16 19:01
VLAI?
Title
Mobile crash via improper validation of proto style in attachments
Summary
Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.
Severity ?
6.5 (Medium)
CWE
- CWE-704 - Incorrect Type Conversion or Cast
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.22.0
(semver)
Unaffected: 2.23.0 |
Credits
c0rydoras
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20072",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T19:01:16.322892Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T19:01:25.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.22.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.23.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c0rydoras"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile versions \u0026lt;= 2.22.0 fail to properly validate the style of proto supplied to an action\u0027s style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Mattermost Mobile versions \u003c= 2.22.0 fail to properly validate the style of proto supplied to an action\u0027s style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-704",
"description": "CWE-704: Incorrect Type Conversion or Cast",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T17:51:38.173Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.3.0, 2.23.0, 10.2.1, 9.11.6, 10.0.4, 10.1.4 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.3.0, 2.23.0, 10.2.1, 9.11.6, 10.0.4, 10.1.4 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00402",
"defect": [
"https://mattermost.atlassian.net/browse/MM-61709"
],
"discovery": "EXTERNAL"
},
"title": "Mobile crash via improper validation of proto style in attachments",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-20072",
"datePublished": "2025-01-16T17:51:38.173Z",
"dateReserved": "2025-01-15T15:30:33.457Z",
"dateUpdated": "2025-01-16T19:01:25.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0476 (GCVE-0-2025-0476)
Vulnerability from nvd – Published: 2025-01-15 23:44 – Updated: 2025-01-16 14:22
VLAI?
Title
Mobile crash via file with specially crafted filename
Summary
Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment
Severity ?
4.3 (Medium)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.22.0
(semver)
Unaffected: 2.23.0 |
Credits
lsibilev
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0476",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T14:22:07.409471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T14:22:23.004Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.22.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.23.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lsibilev"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mattermost Mobile Apps versions \u0026lt;=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T23:44:45.934Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.23.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00405",
"defect": [
"https://mattermost.atlassian.net/browse/MM-61752"
],
"discovery": "EXTERNAL"
},
"title": "Mobile crash via file with specially crafted filename",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-0476",
"datePublished": "2025-01-15T23:44:45.934Z",
"dateReserved": "2025-01-14T20:51:53.990Z",
"dateUpdated": "2025-01-16T14:22:23.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21083 (GCVE-0-2025-21083)
Vulnerability from nvd – Published: 2025-01-15 16:10 – Updated: 2025-01-15 16:48
VLAI?
Title
Insufficient Input Validation on Post Props
Summary
Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
Severity ?
6.5 (Medium)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.22.0
(semver)
Unaffected: 2.23.0 |
Credits
c0rydoras (c0rydoras)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-21083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T16:48:42.690406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T16:48:49.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.22.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.23.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c0rydoras (c0rydoras)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.\u003c/p\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T16:10:48.325Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.23.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00399",
"defect": [
"https://mattermost.atlassian.net/browse/MM-62531"
],
"discovery": "EXTERNAL"
},
"title": "Insufficient Input Validation on Post Props",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-21083",
"datePublished": "2025-01-15T16:10:48.325Z",
"dateReserved": "2025-01-14T00:19:35.062Z",
"dateUpdated": "2025-01-15T16:48:49.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-20036 (GCVE-0-2025-20036)
Vulnerability from nvd – Published: 2025-01-15 16:10 – Updated: 2025-01-15 16:49
VLAI?
Title
Insufficient Input Validation on Post Props
Summary
Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
Severity ?
6.5 (Medium)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.22.0
(semver)
Unaffected: 2.23.0 |
Credits
c0rydoras (c0rydoras)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-20036",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T16:49:00.458575Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T16:49:13.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.22.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.23.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c0rydoras (c0rydoras)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.\u003c/p\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T16:10:47.847Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.23.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00398",
"defect": [
"https://mattermost.atlassian.net/browse/MM-62529"
],
"discovery": "EXTERNAL"
},
"title": "Insufficient Input Validation on Post Props",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-20036",
"datePublished": "2025-01-15T16:10:47.847Z",
"dateReserved": "2025-01-14T00:19:35.045Z",
"dateUpdated": "2025-01-15T16:49:13.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11358 (GCVE-0-2024-11358)
Vulnerability from nvd – Published: 2024-12-16 16:20 – Updated: 2024-12-16 18:09
VLAI?
Title
Insecure Android File Provider Paths
Summary
Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.
Severity ?
5.7 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.21.0
(semver)
Unaffected: 2.22.0 |
Credits
BugSniper (bugsniper1081)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T18:09:43.340893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T18:09:54.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.21.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.22.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "BugSniper (bugsniper1081)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Android Mobile Apps versions \u0026lt;=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.\u003c/p\u003e"
}
],
"value": "Mattermost Android Mobile Apps versions \u003c=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T16:20:27.908Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.22.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.22.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00384",
"defect": [
"https://mattermost.atlassian.net/browse/MM-60637"
],
"discovery": "EXTERNAL"
},
"title": "Insecure Android File Provider Paths",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-11358",
"datePublished": "2024-12-16T16:20:27.908Z",
"dateReserved": "2024-11-18T18:41:08.491Z",
"dateUpdated": "2024-12-16T18:09:54.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45833 (GCVE-0-2024-45833)
Vulnerability from nvd – Published: 2024-09-16 06:41 – Updated: 2024-09-16 13:04
VLAI?
Title
Mobile password gets saved in dictionary under conditions
Summary
Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..
Severity ?
4.5 (Medium)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 2.18.0
(semver)
Unaffected: 2.19.0 |
Credits
@lolcabanon
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45833",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T13:04:05.356788Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T13:04:55.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "2.18.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2.19.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "@lolcabanon"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u0026nbsp;password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..\u003c/p\u003e"
}
],
"value": "Mattermost Mobile Apps versions \u003c=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u00a0password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T06:41:47.347Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.19.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost Mobile Apps to versions 2.19.0 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00314",
"defect": [
"https://mattermost.atlassian.net/browse/MM-56932"
],
"discovery": "EXTERNAL"
},
"title": "Mobile password gets saved in dictionary under conditions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2024-45833",
"datePublished": "2024-09-16T06:41:47.347Z",
"dateReserved": "2024-09-10T08:20:38.452Z",
"dateUpdated": "2024-09-16T13:04:55.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}