Doyensec

**Name of the Vulnerable Software and Affected Versions** Mattermost Mobile Apps versions prior to 2.38 **Description** The application fails to properly validate the SSO authentication callback origin. This allows an attacker who controls a malicious Mattermost server to steal user credentials for a legitimate Mattermost server by relaying the SSO code exchange flow through the mobile application. **Recommendations** Update to a version newer than 2.37.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions prior to 6.0.0 **Description** The Mattermost Desktop App does not properly remove sensitive information from its logs or clear data when a server is deleted. This could allow an attacker who has access to a user's system to obtain potentially sensitive information by reading the application logs. **Recommendations** Update to Mattermost Desktop App version 6.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.5.x through 10.5.12 Mattermost versions 10.11.x through 10.11.4 **Description** An authenticated user can access files and subscribe to blocks in Boards without proper permission validation. This allows access to files from other boards and subscription to blocks from boards the user should not have access to. **Recommendations** Update Mattermost to a version later than 10.5.12. Update Mattermost to a version later than 10.11.4.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions prior to 5.13.0 **Description** The Mattermost Desktop App does not properly manage modals. This impacts users connecting to servers that utilize basic authentication, potentially preventing access. An attacker can provide a malicious server to a user, and upon configuration, force a modal popup that cannot be closed, effectively denying use of the Desktop App. **Recommendations** Update to a version greater than 5.13.0.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.5.x through 10.5.10 Mattermost versions 10.10.x through 10.10.2 Mattermost versions 10.11.x through 10.11.1 **Description** A flaw exists in Mattermost where the system does not properly verify a user’s permission to join a team using an invite token. This allows an attacker to join any team on a Mattermost server, bypassing restrictions through manipulation of the `RelayState` parameter. The issue involves improper validation of user permissions when joining a team via an invite token. **Recommendations** Update Mattermost to a version later than 10.5.10 Update Mattermost to a version later than 10.10.2 Update Mattermost to a version later than 10.11.1

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.5.x through 10.5.10 Mattermost versions 10.10.x through 10.10.2 Mattermost versions 10.11.x through 10.11.1 **Description** The Mattermost software has an issue where user permissions are not properly verified when joining a team using an invite token. This is due to manipulation of the OAuth state parameter. An attacker can bypass team membership restrictions and join any team on a Mattermost server without authorization. **Recommendations** Update Mattermost versions to a version later than 10.5.10 Update Mattermost versions to a version later than 10.10.2 Update Mattermost versions to a version later than 10.11.1

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.5.x through 10.5.10 Mattermost versions 10.11.x through 10.11.2 **Description** The software does not employ constant-time comparison for sensitive string comparisons, creating a timing oracle. This allows attackers to exploit timing differences during response time analysis to perform byte-by-byte brute force attacks on Cloud API keys and OAuth client secrets. **Recommendations** Update Mattermost to a version beyond 10.5.10. Update Mattermost to a version beyond 10.11.2.

**Name of the Vulnerable Software and Affected Versions** Mattermost Mobile Apps versions prior to 2.32.0 **Description** The Mattermost Mobile Apps do not properly validate Single Sign-On (SSO) redirect tokens to ensure they come from a trusted server. This allows a malicious Mattermost instance or an attacker positioned on the network path to steal user session credentials through specially crafted token-in-URL responses. **Recommendations** Update Mattermost Mobile Apps to version 2.32.0 or later.

**Name of the Vulnerable Software and Affected Versions** Mattermost Desktop App versions through 5.13.0 **Description** The Mattermost Desktop App does not properly validate URLs originating from outside the configured Mattermost servers. This allows a malicious server to cause the application to crash by sending a specially crafted URL to a user. **Recommendations** Update Mattermost Desktop App to a version later than 5.13.0.

**Name of the Vulnerable Software and Affected Versions** rardecode versions 2.1.1 and earlier **Description** The software does not properly limit the dictionary size when processing RAR files. An attacker can exploit this by providing a specially crafted RAR file with a large dictionary size, leading to a Denial of Service due to an Out Of Memory crash. **Recommendations** Update to a version newer than 2.1.1.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 11.0.0 through 11.0.4 Mattermost versions 10.11.0 through 10.11.6 Mattermost versions 10.12.0 through 10.12.2 Mattermost Calls versions 1.10.0 and earlier **Description** The software does not properly implement Cross-Site Request Forgery (CSRF) protection on the Calls widget page. This allows an authenticated attacker to initiate calls and inject messages into channels or direct messages through a malicious webpage or crafted link. CSRF is a type of web security issue where an attacker can trick a user's browser into performing unwanted actions on a trusted site when the user is authenticated. **Recommendations** Update Mattermost to a version later than 11.0.4 Update Mattermost to a version later than 10.11.6 Update Mattermost to a version later than 10.12.2 Update Mattermost Calls to a version later than 1.10.0

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.5.0 through 10.5.9 Mattermost versions 10.9.0 through 10.9.4 Mattermost versions 10.10.0 through 10.10.1 **Description** Mattermost fails to validate the `redirect to` parameter, potentially allowing an attacker to craft a malicious link. Upon a user authenticating with their SAML provider, their cookies could be posted to a URL controlled by the attacker. **Recommendations** Mattermost versions 10.5.0 through 10.5.9: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Mattermost versions 10.9.0 through 10.9.4: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Mattermost versions 10.10.0 through 10.10.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.11.x through 9.11.2 Mattermost versions 9.5.x through 9.5.10 **Description** The issue allows an attacker to reuse the MFA code within ~30 seconds due to a failure to protect the MFA code against replay attacks. **Recommendations** For versions 9.11.x through 9.11.2, update to a version later than 9.11.2 to resolve the issue. For versions 9.5.x through 9.5.10, update to a version later than 9.5.10 to resolve the issue. As a temporary workaround, consider restricting access to MFA-protected resources until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.5.x through 9.5.9 Mattermost versions 9.10.x through 9.10.2 Mattermost versions 9.11.x through 9.11.1 **Description** The issue allows an attacker to generate a large response and cause an amplified GraphQL response which could cause the application to crash by sending a specially crafted request to Playbooks. This is due to the failure to prevent detailed error messages from being displayed in Playbooks. **Recommendations** For Mattermost versions 9.5.x through 9.5.9, update to a version later than 9.5.9 to resolve the issue. For Mattermost versions 9.10.x through 9.10.2, update to a version later than 9.10.2 to resolve the issue. For Mattermost versions 9.11.x through 9.11.1, update to a version later than 9.11.1 to resolve the issue. As a temporary workaround, consider restricting access to Playbooks to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.10.x through 9.10.2 Mattermost versions 9.11.x through 9.11.1 Mattermost versions 9.5.x through 9.5.9 **Description** The issue is related to a failure in sanitizing user inputs in the frontend, which are used for redirection. This leads to a one-click client-side path traversal, resulting in Cross-Site Request Forgery (CSRF) in Playbooks. **Recommendations** For versions 9.10.x through 9.10.2, update to a version later than 9.10.2 to resolve the issue. For versions 9.11.x through 9.11.1, update to a version later than 9.11.1 to resolve the issue. For versions 9.5.x through 9.5.9, update to a version later than 9.5.9 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.5.x through 9.5.8 Description: The issue arises from Mattermost's failure to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, potentially allowing an attacker to cause a server-side request forgery (SSRF) if Mattermost is deployed in Oracle Cloud or Alibaba. This could enable an attacker to remotely manipulate server requests. Recommendations: For Mattermost versions 9.5.x through 9.5.8, upgrade Mattermost immediately to mitigate the risk of server-side request forgery. As a temporary workaround, consider restricting access to the metadata endpoints of Oracle Cloud and Alibaba to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mattermost Desktop App versions <=5.8.0 **Description** The issue concerns a flaw in the screen capture functionality of the Mattermost Desktop App, allowing an attacker to silently capture high-quality screenshots via JavaScript APIs. **Recommendations** For Mattermost Desktop App versions <=5.8.0, update to a version higher than 5.8.0 to resolve the issue. As a temporary workaround, consider disabling the screen capture functionality until a patch is available. Restrict access to sensitive information on devices running the affected versions to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Mattermost Desktop App versions <=5.8.0 Description: The Mattermost Desktop App fails to sufficiently configure Electron Fuses, allowing an attacker to gather Chromium cookies or abuse other misconfigurations via remote or local access. This issue can be exploited locally. Recommendations: For Mattermost Desktop App versions <=5.8.0, upgrade the affected component to a version that properly configures Electron Fuses to prevent exploitation. As a temporary workaround, consider restricting access to sensitive data stored in Chromium cookies until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.5.x through 9.5.7 Mattermost versions 9.10.x through 9.10.0 **Description** The issue is related to improper access controls, allowing any authenticated user, including guests, to mark any channel inside any team as read for any user. This affects the ability to enforce proper access controls within the system. **Recommendations** For Mattermost versions 9.5.x through 9.5.7, update to a version later than 9.5.7 to resolve the issue. For Mattermost versions 9.10.x through 9.10.0, update to a version later than 9.10.0 to resolve the issue. As a temporary workaround, consider restricting access to sensitive channels and teams to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 9.5.x through 9.5.7 Mattermost versions 9.10.x through 9.10.0 **Description** The issue arises from the failure to time limit and size limit the CA path file in the ElasticSearch configuration. This allows a System Role with access to the Elasticsearch system console to add any file as a CA path field. For example, adding `/dev/zero` and then testing the connection can cause the application to crash. **Recommendations** For Mattermost versions 9.5.x through 9.5.7, restrict access to the Elasticsearch system console to prevent exploitation. For Mattermost versions 9.10.x through 9.10.0, limit the size and time of the CA path file in the ElasticSearch configuration to prevent abuse. As a temporary workaround, consider disabling access to the ElasticSearch configuration until a patch is available.