CVE-2025-62190

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.0.0 through 11.0.4 Mattermost versions 10.11.0 through 10.11.6 Mattermost versions 10.12.0 through 10.12.2 Mattermost Calls versions 1.10.0 and earlier

Description The software does not properly implement Cross-Site Request Forgery (CSRF) protection on the Calls widget page. This allows an authenticated attacker to initiate calls and inject messages into channels or direct messages through a malicious webpage or crafted link. CSRF is a type of web security issue where an attacker can trick a user's browser into performing unwanted actions on a trusted site when the user is authenticated.

Recommendations Update Mattermost to a version later than 11.0.4 Update Mattermost to a version later than 10.11.6 Update Mattermost to a version later than 10.12.2 Update Mattermost Calls to a version later than 1.10.0