Communication and Collaboration

In Mattermost Mobile Apps versions 2.22.0 and prior a medium severity vulnerability CVE-2025-0476 was detected. This vulnerability allows an attacker to crash the mobile app for any user who opens a channel containing a specially crafted attachment. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0476.

In Mattermost versions 9.11.x up to and including 9.11.5 a low severity vulnerability CVE-2025-22449 was detected. This vulnerability allows team admins without permission to invite users to their team to bypass restrictions by updating the “allow_open_invite” field, making their team public and inviting users. To address this issue, users should upgrade Mattermost to version 9.11.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-22449.

In Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 a medium severity vulnerability CVE-2024-54083 was detected. This vulnerability allows attackers to cause a client-side denial of service (DoS) to users of particular channels by sending specially crafted posts. To address this issue, users should upgrade Mattermost to version 10.1.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-54083.

In Discourse instances configured to use `FileStore::LocalStore` versions stable 3.3.2 and prior; beta 3.4.0.beta3 and prior; tests-passed 3.4.0.beta3 and prior a high severity vulnerability CVE-2024-53991 was detected. This vulnerability allows attackers to access Discourse backup files if they know the file name by crafting specific requests to nginx. To address this issue, users should upgrade to the stable 3.3.3 or above; beta 3.4.0.beta4 or above, or tests-passed 3.4.0.beta4 or above versions. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53991.

In Discourse versions stable 3.3.2 and prior; beta 3.4.0.beta3 and prior; tests-passed 3.4.0.beta3 and prior a medium severity vulnerability CVE-2024-52794 was detected. This vulnerability allows attackers to target users clicking on lightbox thumbnails. To address this issue, users must upgrade Discourse to the stable 3.3.3 or above; beta 3.4.0.beta4 or above; tests-passed 3.4.0.beta4 or above versions. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52794.

In Discourse versions stable 3.3.2 and prior; beta 3.4.0.beta3 and prior; tests-passed 3.4.0.beta3 and prior a low severity vulnerability CVE-2024-52589 was detected. This vulnerability allows moderators to view user email addresses through the Screened Emails list in the admin dashboard. To address this issue, users should upgrade Discourse to the stable 3.3.3 or above; beta 3.4.0.beta4 or above; tests-passed 3.4.0.beta4 or above versions. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52589.

In Discourse versions stable 3.3.2 and prior; beta 3.4.0.beta3 and prior; tests-passed 3.4.0.beta3 and prior a medium severity vulnerability CVE-2024-49765 was detected. This vulnerability allows attackers to bypass Discourse Connect and create accounts or log in if local login methods are still enabled. To address this issue, users should upgrade Discourse to the stable 3.3.3 or above; beta 3.4.0.beta4 or above; tests-passed 3.4.0.beta4 or above versions. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-49765.

In Mattermost versions 10.1.x up to10.1.2, 10.0.x up to10.0.2, 9.11.x up to 9.11.4, and 9.5.x up to 9.5.12 a medium severity vulnerability CVE-2024-48872 was detected. This vulnerability allows attackers to bypass the “Max failed attempts” restriction by sending a large number of simultaneous login requests, enabling multiple login attempts before being blocked. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-48872.

In Mattermost Android Mobile Apps versions 2.21.0 and prior a medium severity vulnerability CVE-2024-11358 was detected. This vulnerability allows attackers with local access to access files via file providers. To address this issue, users should upgrade to version 2.22.0. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-11358.