CVE-2025-62190

Summary

Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.0.0 <= 11.0.4affected
MattermostMattermost10.12.0 <= 10.12.2affected
MattermostMattermost10.11.0 <= 10.11.6affected
MattermostMattermost11.1.0unaffected
MattermostMattermost11.0.5unaffected
MattermostMattermost10.12.3unaffected
MattermostMattermost10.11.7unaffected

Weaknesses

  • CWE-352: CWE-352: Cross-Site Request Forgery (CSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References