Search

Find a vulnerability

Search criteria

    40 vulnerabilities found for mattermost_mobile by mattermost

    CVE-2025-59480 (GCVE-0-2025-59480)

    Vulnerability from nvd – Published: 2025-11-13 17:32 – Updated: 2025-11-13 18:02
    VLAI
    Title
    Inadequate validation of SSO redirect credentials permits credential theft
    Summary
    Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.32.0 (semver)
    Unaffected: 2.33.0
    Create a notification for this product.
    Credits
    Doyensec
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59480",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-13T18:02:17.008542Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-13T18:02:26.585Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.32.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.33.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Doyensec"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost Mobile Apps versions \u003c=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-13T17:32:04.772Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost Mobile Apps to versions 2.33.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2025-00522",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-65083"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Inadequate validation of SSO redirect credentials permits credential theft"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-59480",
        "datePublished": "2025-11-13T17:32:04.772Z",
        "dateReserved": "2025-10-15T11:16:32.195Z",
        "dateUpdated": "2025-11-13T18:02:26.585Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-30516 (GCVE-0-2025-30516)

    Vulnerability from nvd – Published: 2025-04-14 06:56 – Updated: 2025-04-14 14:01
    VLAI
    Title
    Unauthorized Notification Exposure in Mobile App Under Specific Conditions
    Summary
    Mattermost Mobile Apps versions <=2.25.0  fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.25.0 (semver)
    Unaffected: 2.26.0
    Create a notification for this product.
    Credits
    Elias Nahum
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30516",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-14T13:59:13.520152Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-14T14:01:51.133Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.25.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.26.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Elias Nahum"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.25.0\u0026nbsp; fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.25.0\u00a0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "NONE",
                "baseScore": 2,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-14T06:56:22.327Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.26.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.26.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00415",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-61974"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Unauthorized Notification Exposure in Mobile App Under Specific Conditions",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-30516",
        "datePublished": "2025-04-14T06:56:22.327Z",
        "dateReserved": "2025-04-08T07:50:19.632Z",
        "dateUpdated": "2025-04-14T14:01:51.133Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1558 (GCVE-0-2025-1558)

    Vulnerability from nvd – Published: 2025-03-24 15:01 – Updated: 2025-03-24 18:42
    VLAI
    Title
    Denial of Service Via Malicious GIF
    Summary
    Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.25.0 (semver)
    Unaffected: 2.26.0
    Unaffected: 2.25.1
    Create a notification for this product.
    Credits
    defalt47
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1558",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T15:25:23.601581Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T18:42:16.481Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.25.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.26.0"
                },
                {
                  "status": "unaffected",
                  "version": "2.25.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "defalt47"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-24T15:01:52.463Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.26.0, 2.25.1 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.26.0, 2.25.1 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00417",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-62374"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Denial of Service Via Malicious GIF",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-1558",
        "datePublished": "2025-03-24T15:01:52.463Z",
        "dateReserved": "2025-02-21T15:44:40.158Z",
        "dateUpdated": "2025-03-24T18:42:16.481Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-20630 (GCVE-0-2025-20630)

    Vulnerability from nvd – Published: 2025-01-16 18:18 – Updated: 2025-01-16 18:55
    VLAI
    Title
    Mobile crash via object that can't be cast to String in Attachment Field
    Summary
    Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ <=2.22.0 (semver)
    Unaffected: 2.23.0
    Create a notification for this product.
    Credits
    c0rydoras (c0rydoras)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-20630",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T18:54:57.228284Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-16T18:55:51.501Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "\u003c=2.22.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.23.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "c0rydoras (c0rydoras)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Mattermost Mobile versions \u0026lt;=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel."
                }
              ],
              "value": "Mattermost Mobile versions \u003c=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-16T18:18:58.742Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile to version 2.23.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile to version 2.23.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00390",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-61161"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mobile crash via object that can\u0027t be cast to String in Attachment Field",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-20630",
        "datePublished": "2025-01-16T18:18:58.742Z",
        "dateReserved": "2025-01-16T18:10:41.938Z",
        "dateUpdated": "2025-01-16T18:55:51.501Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-20072 (GCVE-0-2025-20072)

    Vulnerability from nvd – Published: 2025-01-16 17:51 – Updated: 2025-01-16 19:01
    VLAI
    Title
    Mobile crash via improper validation of proto style in attachments
    Summary
    Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-704 - Incorrect Type Conversion or Cast
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.22.0 (semver)
    Unaffected: 2.23.0
    Create a notification for this product.
    Credits
    c0rydoras
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-20072",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T19:01:16.322892Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-16T19:01:25.308Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.22.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.23.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "c0rydoras"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile versions \u0026lt;= 2.22.0 fail to properly validate the style of proto supplied to an action\u0027s style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile versions \u003c= 2.22.0 fail to properly validate the style of proto supplied to an action\u0027s style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-704",
                  "description": "CWE-704: Incorrect Type Conversion or Cast",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-16T17:51:38.173Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost to versions 10.3.0, 2.23.0, 10.2.1, 9.11.6, 10.0.4, 10.1.4 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost to versions 10.3.0, 2.23.0, 10.2.1, 9.11.6, 10.0.4, 10.1.4 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00402",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-61709"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mobile crash via improper validation of proto style in attachments",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-20072",
        "datePublished": "2025-01-16T17:51:38.173Z",
        "dateReserved": "2025-01-15T15:30:33.457Z",
        "dateUpdated": "2025-01-16T19:01:25.308Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-0476 (GCVE-0-2025-0476)

    Vulnerability from nvd – Published: 2025-01-15 23:44 – Updated: 2025-01-16 14:22
    VLAI
    Title
    Mobile crash via file with specially crafted filename
    Summary
    Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.22.0 (semver)
    Unaffected: 2.23.0
    Create a notification for this product.
    Credits
    lsibilev
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0476",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T14:22:07.409471Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-16T14:22:23.004Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.22.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.23.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "lsibilev"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Mattermost Mobile Apps versions \u0026lt;=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-15T23:44:45.934Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.23.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00405",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-61752"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mobile crash via file with specially crafted filename",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-0476",
        "datePublished": "2025-01-15T23:44:45.934Z",
        "dateReserved": "2025-01-14T20:51:53.990Z",
        "dateUpdated": "2025-01-16T14:22:23.004Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-21083 (GCVE-0-2025-21083)

    Vulnerability from nvd – Published: 2025-01-15 16:10 – Updated: 2025-01-15 16:48
    VLAI
    Title
    Insufficient Input Validation on Post Props
    Summary
    Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.22.0 (semver)
    Unaffected: 2.23.0
    Create a notification for this product.
    Credits
    c0rydoras (c0rydoras)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-21083",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-15T16:48:42.690406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-15T16:48:49.749Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.22.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.23.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "c0rydoras (c0rydoras)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-15T16:10:48.325Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.23.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00399",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-62531"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Insufficient Input Validation on Post Props",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-21083",
        "datePublished": "2025-01-15T16:10:48.325Z",
        "dateReserved": "2025-01-14T00:19:35.062Z",
        "dateUpdated": "2025-01-15T16:48:49.749Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-20036 (GCVE-0-2025-20036)

    Vulnerability from nvd – Published: 2025-01-15 16:10 – Updated: 2025-01-15 16:49
    VLAI
    Title
    Insufficient Input Validation on Post Props
    Summary
    Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.22.0 (semver)
    Unaffected: 2.23.0
    Create a notification for this product.
    Credits
    c0rydoras (c0rydoras)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-20036",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-15T16:49:00.458575Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-15T16:49:13.457Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.22.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.23.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "c0rydoras (c0rydoras)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-15T16:10:47.847Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.23.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00398",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-62529"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Insufficient Input Validation on Post Props",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-20036",
        "datePublished": "2025-01-15T16:10:47.847Z",
        "dateReserved": "2025-01-14T00:19:35.045Z",
        "dateUpdated": "2025-01-15T16:49:13.457Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-11358 (GCVE-0-2024-11358)

    Vulnerability from nvd – Published: 2024-12-16 16:20 – Updated: 2024-12-16 18:09
    VLAI
    Title
    Insecure Android File Provider Paths
    Summary
    Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.21.0 (semver)
    Unaffected: 2.22.0
    Create a notification for this product.
    Credits
    BugSniper (bugsniper1081)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-11358",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-16T18:09:43.340893Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-16T18:09:54.764Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.21.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.22.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "BugSniper (bugsniper1081)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Android Mobile Apps versions \u0026lt;=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Android Mobile Apps versions \u003c=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-16T16:20:27.908Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.22.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.22.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00384",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-60637"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Insecure Android File Provider Paths",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2024-11358",
        "datePublished": "2024-12-16T16:20:27.908Z",
        "dateReserved": "2024-11-18T18:41:08.491Z",
        "dateUpdated": "2024-12-16T18:09:54.764Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-45833 (GCVE-0-2024-45833)

    Vulnerability from nvd – Published: 2024-09-16 06:41 – Updated: 2024-09-16 13:04
    VLAI
    Title
    Mobile password gets saved in dictionary under conditions
    Summary
    Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-693 - Protection Mechanism Failure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.18.0 (semver)
    Unaffected: 2.19.0
    Create a notification for this product.
    Credits
    @lolcabanon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45833",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-16T13:04:05.356788Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-16T13:04:55.732Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.18.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.19.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "@lolcabanon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u0026nbsp;password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u00a0password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-693",
                  "description": "CWE-693: Protection Mechanism Failure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-16T06:41:47.347Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.19.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.19.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00314",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-56932"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mobile password gets saved in dictionary under conditions",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2024-45833",
        "datePublished": "2024-09-16T06:41:47.347Z",
        "dateReserved": "2024-09-10T08:20:38.452Z",
        "dateUpdated": "2024-09-16T13:04:55.732Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-39767 (GCVE-0-2024-39767)

    Vulnerability from nvd – Published: 2024-07-15 08:43 – Updated: 2024-08-02 04:26
    VLAI
    Title
    Spoofed push notifications from malicious server
    Summary
    Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server’s diagnostic ID or server URL and have them show up in mobile apps as that server’s push notifications.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.16.0 (semver)
    Unaffected: 2.17.0
    Create a notification for this product.
    Credits
    Juho Forsén
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-39767",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-19T20:01:15.987749Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-19T20:01:48.007Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:26:15.989Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.16.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.17.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Juho Fors\u00e9n"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server\u2019s diagnostic ID or server URL and have them show up in mobile apps as that server\u2019s push notifications.\u0026nbsp;\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server\u2019s diagnostic ID or server URL and have them show up in mobile apps as that server\u2019s push notifications."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T08:43:10.236Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.17.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.17.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00310",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-56722"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Spoofed push notifications from malicious server",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2024-39767",
        "datePublished": "2024-07-15T08:43:10.236Z",
        "dateReserved": "2024-07-11T14:48:59.897Z",
        "dateUpdated": "2024-08-02T04:26:15.989Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32945 (GCVE-0-2024-32945)

    Vulnerability from nvd – Published: 2024-07-15 08:42 – Updated: 2024-08-02 02:27
    VLAI
    Title
    LaTeX post content manipulation via renderer state leak across contexts
    Summary
    Mattermost Mobile Apps versions <=2.16.0 fail to protect against abuse of a globally shared MathJax state which allows an attacker to change the contents of a LateX post, by creating another post with specific macro definitions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-909 - Missing Initialization of Resource
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.16.0 (semver)
    Unaffected: 2.17.0
    Create a notification for this product.
    mattermost mattermost Affected: 0 , ≤ 2.16.0 (semver)
    Unaffected: 2.17.0
        cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Juho Nurminen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "mattermost",
                "vendor": "mattermost",
                "versions": [
                  {
                    "lessThanOrEqual": "2.16.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  },
                  {
                    "status": "unaffected",
                    "version": "2.17.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32945",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-16T15:37:36.760670Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-16T15:44:30.104Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:27:52.391Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.16.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.17.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Juho Nurminen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.16.0 fail to protect against abuse of a globally shared MathJax state\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003ewhich allows an attacker to change the contents of a LateX post, by creating another post with specific  macro definitions.\u003c/span\u003e\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.16.0 fail to protect against abuse of a globally shared MathJax state\u00a0which allows an attacker to change the contents of a LateX post, by creating another post with specific  macro definitions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.6,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-909",
                  "description": "CWE-909: Missing Initialization of Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T08:42:19.268Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.17.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.17.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00336",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-57561"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "LaTeX post content manipulation via renderer state leak across contexts",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2024-32945",
        "datePublished": "2024-07-15T08:42:19.268Z",
        "dateReserved": "2024-07-11T14:48:59.891Z",
        "dateUpdated": "2024-08-02T02:27:52.391Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-3872 (GCVE-0-2024-3872)

    Vulnerability from nvd – Published: 2024-04-16 09:05 – Updated: 2024-08-01 20:26
    VLAI
    Summary
    Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.13.0 (semver)
    Unaffected: 2.14.0
    Create a notification for this product.
    mattermost mattermost_mobile Affected: 0 , ≤ 2.13.0 (semver)
        cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Juho Nurminen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "mattermost_mobile",
                "vendor": "mattermost",
                "versions": [
                  {
                    "lessThanOrEqual": "2.13.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3872",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-22T14:26:40.200608Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:32:17.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:26:57.005Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.14.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Juho Nurminen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link.\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-16T09:05:04.719Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.14.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.14.0 or higher.\n\n"
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00303",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-55751"
            ],
            "discovery": "INTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2024-3872",
        "datePublished": "2024-04-16T09:05:04.719Z",
        "dateReserved": "2024-04-16T08:51:45.288Z",
        "dateUpdated": "2024-08-01T20:26:57.005Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-24975 (GCVE-0-2024-24975)

    Vulnerability from nvd – Published: 2024-03-15 09:07 – Updated: 2024-08-01 23:36
    VLAI
    Title
    Denial of Service for mobile app users due to automatic code highlighting
    Summary
    Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a very large code block and crash the mobile app.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Mobile Unaffected: 2.13.0
    Affected: 0 , ≤ 2.12.0 (semver)
    Create a notification for this product.
    mattermost mattermost_mobile Affected: 0 , ≤ 2.12.0 (semver)
        cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Gian Klug (coderion)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "mattermost_mobile",
                "vendor": "mattermost",
                "versions": [
                  {
                    "lessThanOrEqual": "2.12.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-24975",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-22T14:23:59.354672Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:43:22.998Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:36:21.260Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost Mobile",
              "vendor": "Mattermost",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.13.0"
                },
                {
                  "lessThanOrEqual": "2.12.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Gian Klug (coderion)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003elimit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a\u0026nbsp;\u003c/span\u003every large code block and crash the mobile app.\u003cbr\u003e"
                }
              ],
              "value": "Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to\u00a0limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a\u00a0very large code block and crash the mobile app.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-15T09:07:13.379Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.13.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.13.0 or higher.\n\n"
            }
          ],
          "source": {
            "advisory": "MMSA-2023-00277",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-55257"
            ],
            "discovery": "EXTERNAL"
          },
          "title": " Denial of Service for mobile app users due to automatic code highlighting",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2024-24975",
        "datePublished": "2024-03-15T09:07:13.379Z",
        "dateReserved": "2024-03-14T09:38:07.486Z",
        "dateUpdated": "2024-08-01T23:36:21.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-20852 (GCVE-0-2019-20852)

    Vulnerability from nvd – Published: 2020-06-19 14:04 – Updated: 2024-08-05 02:53
    VLAI
    Summary
    An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local logging is not blocked for sensitive information (e.g., server addresses or message content).
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates/ x_refsource_CONFIRM
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:53:09.436Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local logging is not blocked for sensitive information (e.g., server addresses or message content)."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-06-19T14:04:14.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://mattermost.com/security-updates/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-20852",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local logging is not blocked for sensitive information (e.g., server addresses or message content)."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://mattermost.com/security-updates/",
                  "refsource": "CONFIRM",
                  "url": "https://mattermost.com/security-updates/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-20852",
        "datePublished": "2020-06-19T14:04:14.000Z",
        "dateReserved": "2020-06-19T00:00:00.000Z",
        "dateUpdated": "2024-08-05T02:53:09.436Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14451 (GCVE-0-2020-14451)

    Vulnerability from nvd – Published: 2020-06-19 13:08 – Updated: 2024-08-04 12:46
    VLAI
    Summary
    An issue was discovered in Mattermost Mobile Apps before 1.29.0. The iOS app allowed Single Sign-On cookies and Local Storage to remain after a logout, aka MMSA-2020-0013.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates/ x_refsource_CONFIRM
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:46:34.503Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in Mattermost Mobile Apps before 1.29.0. The iOS app allowed Single Sign-On cookies and Local Storage to remain after a logout, aka MMSA-2020-0013."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-06-19T13:08:36.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://mattermost.com/security-updates/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-14451",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An issue was discovered in Mattermost Mobile Apps before 1.29.0. The iOS app allowed Single Sign-On cookies and Local Storage to remain after a logout, aka MMSA-2020-0013."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://mattermost.com/security-updates/",
                  "refsource": "CONFIRM",
                  "url": "https://mattermost.com/security-updates/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-14451",
        "datePublished": "2020-06-19T13:08:36.000Z",
        "dateReserved": "2020-06-19T00:00:00.000Z",
        "dateUpdated": "2024-08-04T12:46:34.503Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-59480 (GCVE-0-2025-59480)

    Vulnerability from cvelistv5 – Published: 2025-11-13 17:32 – Updated: 2025-11-13 18:02
    VLAI
    Title
    Inadequate validation of SSO redirect credentials permits credential theft
    Summary
    Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.32.0 (semver)
    Unaffected: 2.33.0
    Create a notification for this product.
    Credits
    Doyensec
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59480",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-13T18:02:17.008542Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-13T18:02:26.585Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.32.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.33.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Doyensec"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost Mobile Apps versions \u003c=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-13T17:32:04.772Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update Mattermost Mobile Apps to versions 2.33.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2025-00522",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-65083"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Inadequate validation of SSO redirect credentials permits credential theft"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-59480",
        "datePublished": "2025-11-13T17:32:04.772Z",
        "dateReserved": "2025-10-15T11:16:32.195Z",
        "dateUpdated": "2025-11-13T18:02:26.585Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-30516 (GCVE-0-2025-30516)

    Vulnerability from cvelistv5 – Published: 2025-04-14 06:56 – Updated: 2025-04-14 14:01
    VLAI
    Title
    Unauthorized Notification Exposure in Mobile App Under Specific Conditions
    Summary
    Mattermost Mobile Apps versions <=2.25.0  fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.25.0 (semver)
    Unaffected: 2.26.0
    Create a notification for this product.
    Credits
    Elias Nahum
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30516",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-14T13:59:13.520152Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-14T14:01:51.133Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.25.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.26.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Elias Nahum"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.25.0\u0026nbsp; fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.25.0\u00a0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "NONE",
                "baseScore": 2,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-14T06:56:22.327Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.26.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.26.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00415",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-61974"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Unauthorized Notification Exposure in Mobile App Under Specific Conditions",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-30516",
        "datePublished": "2025-04-14T06:56:22.327Z",
        "dateReserved": "2025-04-08T07:50:19.632Z",
        "dateUpdated": "2025-04-14T14:01:51.133Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1558 (GCVE-0-2025-1558)

    Vulnerability from cvelistv5 – Published: 2025-03-24 15:01 – Updated: 2025-03-24 18:42
    VLAI
    Title
    Denial of Service Via Malicious GIF
    Summary
    Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.25.0 (semver)
    Unaffected: 2.26.0
    Unaffected: 2.25.1
    Create a notification for this product.
    Credits
    defalt47
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1558",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T15:25:23.601581Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T18:42:16.481Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.25.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.26.0"
                },
                {
                  "status": "unaffected",
                  "version": "2.25.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "defalt47"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-24T15:01:52.463Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.26.0, 2.25.1 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.26.0, 2.25.1 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00417",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-62374"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Denial of Service Via Malicious GIF",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-1558",
        "datePublished": "2025-03-24T15:01:52.463Z",
        "dateReserved": "2025-02-21T15:44:40.158Z",
        "dateUpdated": "2025-03-24T18:42:16.481Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-20630 (GCVE-0-2025-20630)

    Vulnerability from cvelistv5 – Published: 2025-01-16 18:18 – Updated: 2025-01-16 18:55
    VLAI
    Title
    Mobile crash via object that can't be cast to String in Attachment Field
    Summary
    Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ <=2.22.0 (semver)
    Unaffected: 2.23.0
    Create a notification for this product.
    Credits
    c0rydoras (c0rydoras)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-20630",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T18:54:57.228284Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-16T18:55:51.501Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "\u003c=2.22.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.23.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "c0rydoras (c0rydoras)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Mattermost Mobile versions \u0026lt;=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel."
                }
              ],
              "value": "Mattermost Mobile versions \u003c=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-16T18:18:58.742Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile to version 2.23.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile to version 2.23.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00390",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-61161"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mobile crash via object that can\u0027t be cast to String in Attachment Field",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-20630",
        "datePublished": "2025-01-16T18:18:58.742Z",
        "dateReserved": "2025-01-16T18:10:41.938Z",
        "dateUpdated": "2025-01-16T18:55:51.501Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-20072 (GCVE-0-2025-20072)

    Vulnerability from cvelistv5 – Published: 2025-01-16 17:51 – Updated: 2025-01-16 19:01
    VLAI
    Title
    Mobile crash via improper validation of proto style in attachments
    Summary
    Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-704 - Incorrect Type Conversion or Cast
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.22.0 (semver)
    Unaffected: 2.23.0
    Create a notification for this product.
    Credits
    c0rydoras
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-20072",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T19:01:16.322892Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-16T19:01:25.308Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.22.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.23.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "c0rydoras"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile versions \u0026lt;= 2.22.0 fail to properly validate the style of proto supplied to an action\u0027s style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile versions \u003c= 2.22.0 fail to properly validate the style of proto supplied to an action\u0027s style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-704",
                  "description": "CWE-704: Incorrect Type Conversion or Cast",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-16T17:51:38.173Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost to versions 10.3.0, 2.23.0, 10.2.1, 9.11.6, 10.0.4, 10.1.4 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost to versions 10.3.0, 2.23.0, 10.2.1, 9.11.6, 10.0.4, 10.1.4 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00402",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-61709"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mobile crash via improper validation of proto style in attachments",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-20072",
        "datePublished": "2025-01-16T17:51:38.173Z",
        "dateReserved": "2025-01-15T15:30:33.457Z",
        "dateUpdated": "2025-01-16T19:01:25.308Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-0476 (GCVE-0-2025-0476)

    Vulnerability from cvelistv5 – Published: 2025-01-15 23:44 – Updated: 2025-01-16 14:22
    VLAI
    Title
    Mobile crash via file with specially crafted filename
    Summary
    Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.22.0 (semver)
    Unaffected: 2.23.0
    Create a notification for this product.
    Credits
    lsibilev
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0476",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T14:22:07.409471Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-16T14:22:23.004Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.22.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.23.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "lsibilev"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Mattermost Mobile Apps versions \u0026lt;=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-15T23:44:45.934Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.23.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00405",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-61752"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mobile crash via file with specially crafted filename",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-0476",
        "datePublished": "2025-01-15T23:44:45.934Z",
        "dateReserved": "2025-01-14T20:51:53.990Z",
        "dateUpdated": "2025-01-16T14:22:23.004Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-21083 (GCVE-0-2025-21083)

    Vulnerability from cvelistv5 – Published: 2025-01-15 16:10 – Updated: 2025-01-15 16:48
    VLAI
    Title
    Insufficient Input Validation on Post Props
    Summary
    Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.22.0 (semver)
    Unaffected: 2.23.0
    Create a notification for this product.
    Credits
    c0rydoras (c0rydoras)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-21083",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-15T16:48:42.690406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-15T16:48:49.749Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.22.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.23.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "c0rydoras (c0rydoras)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-15T16:10:48.325Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.23.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00399",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-62531"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Insufficient Input Validation on Post Props",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-21083",
        "datePublished": "2025-01-15T16:10:48.325Z",
        "dateReserved": "2025-01-14T00:19:35.062Z",
        "dateUpdated": "2025-01-15T16:48:49.749Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-20036 (GCVE-0-2025-20036)

    Vulnerability from cvelistv5 – Published: 2025-01-15 16:10 – Updated: 2025-01-15 16:49
    VLAI
    Title
    Insufficient Input Validation on Post Props
    Summary
    Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.22.0 (semver)
    Unaffected: 2.23.0
    Create a notification for this product.
    Credits
    c0rydoras (c0rydoras)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-20036",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-15T16:49:00.458575Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-15T16:49:13.457Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.22.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.23.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "c0rydoras (c0rydoras)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-15T16:10:47.847Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.23.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.23.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00398",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-62529"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Insufficient Input Validation on Post Props",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2025-20036",
        "datePublished": "2025-01-15T16:10:47.847Z",
        "dateReserved": "2025-01-14T00:19:35.045Z",
        "dateUpdated": "2025-01-15T16:49:13.457Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-11358 (GCVE-0-2024-11358)

    Vulnerability from cvelistv5 – Published: 2024-12-16 16:20 – Updated: 2024-12-16 18:09
    VLAI
    Title
    Insecure Android File Provider Paths
    Summary
    Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.21.0 (semver)
    Unaffected: 2.22.0
    Create a notification for this product.
    Credits
    BugSniper (bugsniper1081)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-11358",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-16T18:09:43.340893Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-16T18:09:54.764Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.21.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.22.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "BugSniper (bugsniper1081)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Android Mobile Apps versions \u0026lt;=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Android Mobile Apps versions \u003c=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-16T16:20:27.908Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.22.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.22.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00384",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-60637"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Insecure Android File Provider Paths",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2024-11358",
        "datePublished": "2024-12-16T16:20:27.908Z",
        "dateReserved": "2024-11-18T18:41:08.491Z",
        "dateUpdated": "2024-12-16T18:09:54.764Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-45833 (GCVE-0-2024-45833)

    Vulnerability from cvelistv5 – Published: 2024-09-16 06:41 – Updated: 2024-09-16 13:04
    VLAI
    Title
    Mobile password gets saved in dictionary under conditions
    Summary
    Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-693 - Protection Mechanism Failure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.18.0 (semver)
    Unaffected: 2.19.0
    Create a notification for this product.
    Credits
    @lolcabanon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45833",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-16T13:04:05.356788Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-16T13:04:55.732Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.18.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.19.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "@lolcabanon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u0026nbsp;password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u00a0password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-693",
                  "description": "CWE-693: Protection Mechanism Failure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-16T06:41:47.347Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.19.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.19.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00314",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-56932"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Mobile password gets saved in dictionary under conditions",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2024-45833",
        "datePublished": "2024-09-16T06:41:47.347Z",
        "dateReserved": "2024-09-10T08:20:38.452Z",
        "dateUpdated": "2024-09-16T13:04:55.732Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-39767 (GCVE-0-2024-39767)

    Vulnerability from cvelistv5 – Published: 2024-07-15 08:43 – Updated: 2024-08-02 04:26
    VLAI
    Title
    Spoofed push notifications from malicious server
    Summary
    Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server’s diagnostic ID or server URL and have them show up in mobile apps as that server’s push notifications.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.16.0 (semver)
    Unaffected: 2.17.0
    Create a notification for this product.
    Credits
    Juho Forsén
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-39767",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-19T20:01:15.987749Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-19T20:01:48.007Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:26:15.989Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.16.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.17.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Juho Fors\u00e9n"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server\u2019s diagnostic ID or server URL and have them show up in mobile apps as that server\u2019s push notifications.\u0026nbsp;\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server\u2019s diagnostic ID or server URL and have them show up in mobile apps as that server\u2019s push notifications."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T08:43:10.236Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.17.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.17.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00310",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-56722"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Spoofed push notifications from malicious server",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2024-39767",
        "datePublished": "2024-07-15T08:43:10.236Z",
        "dateReserved": "2024-07-11T14:48:59.897Z",
        "dateUpdated": "2024-08-02T04:26:15.989Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32945 (GCVE-0-2024-32945)

    Vulnerability from cvelistv5 – Published: 2024-07-15 08:42 – Updated: 2024-08-02 02:27
    VLAI
    Title
    LaTeX post content manipulation via renderer state leak across contexts
    Summary
    Mattermost Mobile Apps versions <=2.16.0 fail to protect against abuse of a globally shared MathJax state which allows an attacker to change the contents of a LateX post, by creating another post with specific macro definitions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-909 - Missing Initialization of Resource
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.16.0 (semver)
    Unaffected: 2.17.0
    Create a notification for this product.
    mattermost mattermost Affected: 0 , ≤ 2.16.0 (semver)
    Unaffected: 2.17.0
        cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Juho Nurminen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "mattermost",
                "vendor": "mattermost",
                "versions": [
                  {
                    "lessThanOrEqual": "2.16.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  },
                  {
                    "status": "unaffected",
                    "version": "2.17.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32945",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-16T15:37:36.760670Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-16T15:44:30.104Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:27:52.391Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.16.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.17.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Juho Nurminen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile Apps versions \u0026lt;=2.16.0 fail to protect against abuse of a globally shared MathJax state\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003ewhich allows an attacker to change the contents of a LateX post, by creating another post with specific  macro definitions.\u003c/span\u003e\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile Apps versions \u003c=2.16.0 fail to protect against abuse of a globally shared MathJax state\u00a0which allows an attacker to change the contents of a LateX post, by creating another post with specific  macro definitions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.6,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-909",
                  "description": "CWE-909: Missing Initialization of Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-15T08:42:19.268Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.17.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.17.0 or higher."
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00336",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-57561"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "LaTeX post content manipulation via renderer state leak across contexts",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2024-32945",
        "datePublished": "2024-07-15T08:42:19.268Z",
        "dateReserved": "2024-07-11T14:48:59.891Z",
        "dateUpdated": "2024-08-02T02:27:52.391Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-3872 (GCVE-0-2024-3872)

    Vulnerability from cvelistv5 – Published: 2024-04-16 09:05 – Updated: 2024-08-01 20:26
    VLAI
    Summary
    Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Affected: 0 , ≤ 2.13.0 (semver)
    Unaffected: 2.14.0
    Create a notification for this product.
    mattermost mattermost_mobile Affected: 0 , ≤ 2.13.0 (semver)
        cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Juho Nurminen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "mattermost_mobile",
                "vendor": "mattermost",
                "versions": [
                  {
                    "lessThanOrEqual": "2.13.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3872",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-22T14:26:40.200608Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:32:17.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:26:57.005Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "2.13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.14.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Juho Nurminen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link.\u003c/p\u003e"
                }
              ],
              "value": "Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app via a long maliciously crafted link.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-16T09:05:04.719Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.14.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.14.0 or higher.\n\n"
            }
          ],
          "source": {
            "advisory": "MMSA-2024-00303",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-55751"
            ],
            "discovery": "INTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2024-3872",
        "datePublished": "2024-04-16T09:05:04.719Z",
        "dateReserved": "2024-04-16T08:51:45.288Z",
        "dateUpdated": "2024-08-01T20:26:57.005Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-24975 (GCVE-0-2024-24975)

    Vulnerability from cvelistv5 – Published: 2024-03-15 09:07 – Updated: 2024-08-01 23:36
    VLAI
    Title
    Denial of Service for mobile app users due to automatic code highlighting
    Summary
    Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a very large code block and crash the mobile app.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Mobile Unaffected: 2.13.0
    Affected: 0 , ≤ 2.12.0 (semver)
    Create a notification for this product.
    mattermost mattermost_mobile Affected: 0 , ≤ 2.12.0 (semver)
        cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Gian Klug (coderion)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "mattermost_mobile",
                "vendor": "mattermost",
                "versions": [
                  {
                    "lessThanOrEqual": "2.12.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-24975",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-22T14:23:59.354672Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:43:22.998Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:36:21.260Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost Mobile",
              "vendor": "Mattermost",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.13.0"
                },
                {
                  "lessThanOrEqual": "2.12.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Gian Klug (coderion)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003elimit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a\u0026nbsp;\u003c/span\u003every large code block and crash the mobile app.\u003cbr\u003e"
                }
              ],
              "value": "Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to\u00a0limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a\u00a0very large code block and crash the mobile app.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-15T09:07:13.379Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://mattermost.com/security-updates"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Mobile Apps to versions 2.13.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Mobile Apps to versions 2.13.0 or higher.\n\n"
            }
          ],
          "source": {
            "advisory": "MMSA-2023-00277",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-55257"
            ],
            "discovery": "EXTERNAL"
          },
          "title": " Denial of Service for mobile app users due to automatic code highlighting",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2024-24975",
        "datePublished": "2024-03-15T09:07:13.379Z",
        "dateReserved": "2024-03-14T09:38:07.486Z",
        "dateUpdated": "2024-08-01T23:36:21.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }