CVE-2025-62190
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-29
Assigner: Mattermost, Inc.
Description
Description
Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.7 (exc) |
| mattermost | mattermost_server | From 10.12.0 (inc) to 10.12.3 (exc) |
| mattermost | mattermost_server | From 11.0.0 (inc) to 11.0.5 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
