VYPR

Mattermost Mobile Apps

by Mattermost

Source repositories

CVEs (23)

  • CVE-2019-20851CriJun 19, 2020
    risk 0.59cvss 9.1epss 0.01

    An issue was discovered in Mattermost Mobile Apps before 1.26.0. An attacker can use directory traversal with the Video Preview feature to overwrite arbitrary files on a device.

  • CVE-2020-13891HigJun 26, 2020
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022.

  • CVE-2020-14451HigJun 19, 2020
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Mattermost Mobile Apps before 1.29.0. The iOS app allowed Single Sign-On cookies and Local Storage to remain after a logout, aka MMSA-2020-0013.

  • CVE-2020-14449HigJun 19, 2020
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Mattermost Mobile Apps before 1.30.0. Authorization tokens can sometimes be disclosed to third-party servers, aka MMSA-2020-0018.

  • CVE-2019-20848HigJun 19, 2020
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Mattermost Mobile Apps before 1.26.0. The Quick Reply feature mishandles crafted replies.

  • CVE-2025-1558MedMar 24, 2025
    risk 0.42cvss 6.5epss 0.00

    Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF.

  • CVE-2025-20630MedJan 16, 2025
    risk 0.42cvss 6.5epss 0.01

    Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.

  • CVE-2025-20072MedJan 16, 2025
    risk 0.42cvss 6.5epss 0.01

    Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.

  • CVE-2025-21083MedJan 15, 2025
    risk 0.42cvss 6.5epss 0.01

    Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

  • CVE-2025-20036MedJan 15, 2025
    risk 0.42cvss 6.5epss 0.01

    Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

  • CVE-2019-20852HigJun 19, 2020
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local logging is not blocked for sensitive information (e.g., server addresses or message content).

  • CVE-2026-22880MedMay 21, 2026
    risk 0.40cvss 6.1epss 0.00

    Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via…

  • CVE-2024-11358MedDec 16, 2024
    risk 0.37cvss 5.7epss 0.00

    Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.

  • CVE-2019-20850MedJun 19, 2020
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in Mattermost Mobile Apps before 1.26.0. A view cache can persist on a device after a logout.

  • CVE-2019-20849MedJun 19, 2020
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in Mattermost Mobile Apps before 1.26.0. Cookie data can persist on a device after a logout.

  • CVE-2024-45833MedSep 16, 2024
    risk 0.29cvss 4.5epss 0.00

    Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the…

  • CVE-2025-0476MedJan 16, 2025
    risk 0.28cvss 4.3epss 0.00

    Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment

  • CVE-2023-5522MedOct 17, 2023
    risk 0.28cvss 4.3epss 0.00

    Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel. 

  • CVE-2024-24975LowMar 15, 2024
    risk 0.23cvss 3.5epss 0.00

    Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a very large code block and crash the mobile app.

  • CVE-2024-39767MedJul 15, 2024
    risk 0.20cvss 4.2epss 0.00

    Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server’s diagnostic ID or server URL and have them show up in…

Page 1 of 2