CVE-2024-45833

Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://mattermost.com/security-updates	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*

History

23 Sep 2024, 13:43

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mattermost:mattermost_mobile::::::::
First Time		Mattermost Mattermost mattermost Mobile
CWE		NVD-CWE-Other
CVSS	v2 : ~~unknown~~ v3 : ~~4.5~~	v2 : unknown v3 : 6.5
References	~~() https://mattermost.com/security-updates -~~	() https://mattermost.com/security-updates - Vendor Advisory

16 Sep 2024, 15:30

Type	Values Removed	Values Added
Summary		(es) Las versiones <=2.18.0 de Mattermost Mobile Apps no pueden deshabilitar el autocompletado durante el inicio de sesión al escribir la contraseña y se selecciona la contraseña visible, lo que permite que la contraseña se guarde en el diccionario cuando el usuario tiene Swiftkey como teclado predeterminado, el enmascaramiento está desactivado y la contraseña contiene un carácter especial.

16 Sep 2024, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-16 07:15

Updated : 2024-09-23 13:43

NVD link : CVE-2024-45833

Mitre link : CVE-2024-45833

CVE.ORG link : CVE-2024-45833

JSON object : View

Products Affected

mattermost

mattermost_mobile

CWE

NVD-CWE-Other CWE-693

Protection Mechanism Failure

{"id": "CVE-2024-45833", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.9}]}, "published": "2024-09-16T07:15:03.663", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["Vendor Advisory"], "source": "responsibledisclosure@mattermost.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "description": [{"lang": "en", "value": "CWE-693"}]}], "descriptions": [{"lang": "en", "value": "Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the\u00a0password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.."}, {"lang": "es", "value": "Las versiones <=2.18.0 de Mattermost Mobile Apps no pueden deshabilitar el autocompletado durante el inicio de sesi\u00f3n al escribir la contrase\u00f1a y se selecciona la contrase\u00f1a visible, lo que permite que la contrase\u00f1a se guarde en el diccionario cuando el usuario tiene Swiftkey como teclado predeterminado, el enmascaramiento est\u00e1 desactivado y la contrase\u00f1a contiene un car\u00e1cter especial."}], "lastModified": "2024-09-23T13:43:42.073", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_mobile:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6284015-4B02-4ACD-A910-C8B6FAFE540E", "versionEndExcluding": "2.19.0"}], "operator": "OR"}]}], "sourceIdentifier": "responsibledisclosure@mattermost.com"}