CVE-2025-62190

EUVD-2025-203892
Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
MattermostCNA
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
mattermostmattermost_server
10.11.0 ≤
𝑥
< 10.11.7
mattermostmattermost_server
10.12.0 ≤
𝑥
< 10.12.3
mattermostmattermost_server
11.0.0 ≤
𝑥
< 11.0.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mattermost.com/security-updates