Mattermost Desktop
CVE-2025-1398
LOW
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection.
AnalysisAI
Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-426. Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection. Affected products include: Mattermost Mattermost Desktop.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Mattermost Desktop
View allMattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a
Arbitrary code execution in Mattermost Desktop App through version 6.2.0 results from insufficient validation of help me
An issue was discovered in Mattermost Desktop App before 4.4.0. Rated high severity (CVSS 7.3), this vulnerability is re
Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather
An issue was discovered in Mattermost Desktop App before 4.4.0. Rated medium severity (CVSS 6.5), this vulnerability is
Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows
An issue was discovered in Mattermost Desktop App before 4.4.0. Rated medium severity (CVSS 6.1), this vulnerability is
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in loggin
Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website. Rated me
Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silen
Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enro
Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowi
Same weakness CWE-426 – Untrusted Search Path
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today