Devin Binnie

**Name of the Vulnerable Software and Affected Versions** Mattermost Desktop App versions prior to 6.2 **Description** The application fails to prevent server-rendered content from closing an underlying application view. This allows a malicious server or plugin to crash the desktop client by invoking the `window.close()` function in the renderer context, resulting in a denial of service condition at the client level. **Recommendations** Update to a version newer than 6.1.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.11.x through 9.11.6 **Description** The issue allows an attacker to infer user IDs and other metadata from deleted direct messages (DMs) if someone had manually marked DMs as deleted in the database. This is possible because the software fails to filter out DMs from the deleted channels endpoint. **Recommendations** For Mattermost versions 9.11.x through 9.11.6, consider restricting access to the deleted channels endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.