PT-2025-51826 · Mattermost · Mattermost+1
Doyensec
·
Published
2025-09-26
·
Updated
2026-01-06
·
CVE-2025-62190
CVSS v2.0
5.0
Medium
| Vector | AV:N/AC:L/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 11.0.0 through 11.0.4
Mattermost versions 10.11.0 through 10.11.6
Mattermost versions 10.12.0 through 10.12.2
Mattermost Calls versions 1.10.0 and earlier
Description
The software does not properly implement Cross-Site Request Forgery (CSRF) protection on the Calls widget page. This allows an authenticated attacker to initiate calls and inject messages into channels or direct messages through a malicious webpage or crafted link. CSRF is a type of web security issue where an attacker can trick a user's browser into performing unwanted actions on a trusted site when the user is authenticated.
Recommendations
Update Mattermost to a version later than 11.0.4
Update Mattermost to a version later than 10.11.6
Update Mattermost to a version later than 10.12.2
Update Mattermost Calls to a version later than 1.10.0
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost
Mattermost Calls