npm package
mattermost-desktop
pkg:npm/mattermost-desktop
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-13321 | — | <= 3.6.0 | — | Dec 17, 2025 | Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs. | ||
| CVE-2025-1398 | — | < 5.11.0 | 5.11.0 | Mar 17, 2025 | Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection. | ||
| CVE-2024-45835 | — | < 5.9.0 | 5.9.0 | Sep 16, 2024 | Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access. | ||
| CVE-2024-39772 | — | < 5.9.0 | 5.9.0 | Sep 16, 2024 | Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs. | ||
| CVE-2024-39613 | — | < 5.9.0 | 5.9.0 | Sep 16, 2024 | Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine. | ||
| CVE-2024-37182 | — | < 5.8.0 | 5.8.0 | Jun 14, 2024 | Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes. | ||
| CVE-2024-36287 | — | < 5.8.0 | 5.8.0 | Jun 14, 2024 | Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS. |
- CVE-2025-13321Dec 17, 2025affected <= 3.6.0
Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs.
- CVE-2025-1398Mar 17, 2025affected < 5.11.0fixed 5.11.0
Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection.
- CVE-2024-45835Sep 16, 2024affected < 5.9.0fixed 5.9.0
Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access.
- CVE-2024-39772Sep 16, 2024affected < 5.9.0fixed 5.9.0
Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.
- CVE-2024-39613Sep 16, 2024affected < 5.9.0fixed 5.9.0
Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine.
- CVE-2024-37182Jun 14, 2024affected < 5.8.0fixed 5.8.0
Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes.
- CVE-2024-36287Jun 14, 2024affected < 5.8.0fixed 5.8.0
Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS.