CVE-2025-13321— Mattermost Desktop App logging sensitive information and fails to clear data on server deletion
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-13321
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Mattermost Desktop App logging sensitive information and fails to clear data on server deletion
Source: NVD (National Vulnerability Database)
Vulnerability Description
Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过日志文件的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Mattermost Desktop App 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Mattermost Desktop App是美国Mattermost公司的一款消息传递桌面版应用程序。 Mattermost Desktop App 6.0.0之前版本存在安全漏洞,该漏洞源于未清理Mattermost日志中的敏感信息且服务器删除时未清除数据,可能导致通过读取应用程序日志访问敏感信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Mattermost | Mattermost | 0 ~ 6.0.0 | - |
II. Public POCs for CVE-2025-13321
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-13321
请登录查看更多情报信息。
Same Patch Batch · Mattermost · 2025-12-17 · 7 CVEs total
| CVE-2025-12689 | 6.5 MEDIUM | DoS in Calls plugin via malformed UTF-8 in WebSocket request |
| CVE-2025-62190 | 4.3 MEDIUM | CSRF Allows Call Initiation and Message Delivery |
| CVE-2025-13326 | 3.9 LOW | Mattermost Desktop App fails to enable Hardened Runtime when packaged for Mac App Store |
| CVE-2025-13324 | 3.7 LOW | Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation |
| CVE-2025-62690 | 3.1 LOW | Open redirect in error page when link opened in new tab |
| CVE-2025-13352 | 3.0 LOW | Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hija |
IV. Related Vulnerabilities
Same product: Mattermost
- CVE-2026-3590
Race Condition in Guest Magic Link Authentication Allows Tok - CVE-2026-28741
CSRF Protection Bypass Allows Updating a User's Authenticati - CVE-2026-27769
Connected Workspaces: Malicious remote server can manipulate - CVE-2026-24661
Unbounded Request Body Read in MS Teams Plugin {{/changes}} - CVE-2026-21388
Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}
Same vendor: Mattermost
- CVE-2026-3590
Race Condition in Guest Magic Link Authentication Allows Tok - CVE-2026-28741
CSRF Protection Bypass Allows Updating a User's Authenticati - CVE-2026-27769
Connected Workspaces: Malicious remote server can manipulate - CVE-2026-24661
Unbounded Request Body Read in MS Teams Plugin {{/changes}} - CVE-2026-21388
Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}
Same weakness: CWE-532
- CVE-2026-42282
n8n-MCP: Sensitive MCP tool-call arguments logged on authent - CVE-2026-41495
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Req - CVE-2026-41004
VMware Spring Cloud Config 日志信息泄露漏洞 - CVE-2024-30151
HCL BigFix Service Management (SM) is susceptible to Broken - CVE-2026-7824
PaperCut Hive (Ricoh): Plain text password in logs
V. Comments for CVE-2025-13321
No comments yet