PT-2024-28554 · Mattermost · Mattermost Desktop App

Spark

Published

2024-09-15

Updated

2024-09-22

CVE-2024-39613

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Mattermost Desktop App versions <=5.8.0

Description The Mattermost Desktop App fails to specify an absolute path when searching for the cmd.exe file, allowing a local attacker who can place a cmd.exe file in the user's Downloads folder to cause remote code execution on that machine. A local attacker can exploit this issue by putting a malicious cmd.exe file in the Downloads folder, leading to remote code execution.

Recommendations For Mattermost Desktop App versions <=5.8.0, upgrade to version 5.9.0 to resolve the issue. As a temporary workaround, consider restricting access to the Downloads folder to minimize the risk of exploitation.

Fix

Uncontrolled Search Path Element

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-427

Related Identifiers

CVE-2024-39613

GHSA-WJ4J-QC2M-FGH7

Affected Products

Mattermost Desktop App

PT-2024-28554 · Mattermost · Mattermost Desktop App

CVE-2024-39613

Weakness Enumeration

Related Identifiers

Affected Products

References · 11