Communication and Collaboration

In Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, and 9.5.x <= 9.5.8, a medium severity vulnerability was detected. This vulnerability allows attackers to retrieve post and file information from archived channels, even when viewing archived channels is disabled. Examples include flagged or unread posts and files. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-42406.

In Rocket.Chat versions 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier a high severity vulnerability CVE-2024-47048 was detected. This vulnerability allows attackers to inject harmful code into app descriptions, which could lead to stealing personal data or taking control of user accounts. To fix this issue, users should upgrade Rocket.Chat to version 6.12.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-47048.

In Rocket.Chat versions 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier a low severity vulnerability CVE-2024-46936 was detected. Rocket.Chat is vulnerable to message forgery, allowing attackers to impersonate other users and send fake messages. To fix this problem, users should upgrade to version 6.13.0, 6.12.1, and the backported versions 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-46936.

In Rocket.Chat versions 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier a medium severity vulnerability CVE-2024-46935 was detected. This vulnerability allows attackers to crash the Rocket.Chat workspace by sending specially crafted messages, potentially causing a denial of service (DoS). To fix this problem, users should upgrade to version 6.13.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-46935.

In Mattermost Desktop App versions 5.8.0 and earlier a medium severity vulnerability CVE-2024-45835 was detected. This vulnerability allows attackers to gather Chromium cookies or exploit other misconfigurations through remote or local access due to insufficient configuration of Electron Fuses. To fix this issue, it is recommended to update to versions later than 5.8.0 for the Desktop App and versions earlier than 5.9.0 for the Mattermost Server. For more details, visit https://avd.aquasec.com/nvd/cve-2024-45835.

In Mattermost Desktop App versions up to 5.8.0 a medium severity vulnerability CVE-2024-39613 was detected. This vulnerability allows local attackers to execute remote code by placing a malicious cmd.exe file in the Downloads folder on a user’s machine. To fix this issue, users should upgrade Mattermost to 5.9.0 version. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-39613.

In Mattermost Desktop App versions 5.8.0 and earlier a medium severity vulnerability CVE-2024-39772 was detected. This vulnerability allows attackers to silently capture high-quality screenshots via JavaScript APIs due to a failure in safeguarding screen capture functionality. To fix this issue, users must upgrade to version 5.9.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-39772.

In Mattermost Desktop App versions 5.8.0 and earlier a medium severity vulnerability CVE-2024-39613 was detected. This vulnerability allows a local attacker to exploit the failure to specify an absolute path when searching for cmd.exe, enabling them to place a malicious cmd.exe file in the user’s Downloads folder and execute remote code. To fix this issue, users must upgrade to version 5.9.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-39613.

In Mattermost Mobile Apps versions up to 2.18.0 a medium severity vulnerability CVE-2024-45833 was detected. This issue allows attackers to access passwords saved in the dictionary if the Swiftkey keyboard is being used, the password includes a special character, and password masking is turned off. To fix this issue, users should upgrade Mattermost to 2.19.0 version. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-45833.