CVE-2025-62190Cross-Site Request Forgery in Mattermost Mattermost-plugin-calls

CWE-352Cross-Site Request Forgery6 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 94.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Mattermost Mattermost-plugin-callsMattermost ServerMattermost
Timeline
PublishedDec 17
Latest updateDec 30

Description

Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

NVDmattermost/mattermost_server10.11.010.11.7+2
CVEListV5mattermost/mattermost11.0.011.0.4+2

🔴Vulnerability Details

4
OSV
Mattermost has CSRF vulnerability via Calls Widget page in github.com/mattermost/mattermost-plugin-calls2025-12-30
OSV
Mattermost has CSRF vulnerability via Calls Widget page2025-12-17
GHSA
Mattermost has CSRF vulnerability via Calls Widget page2025-12-17
CVEList
CSRF Allows Call Initiation and Message Delivery2025-12-17

🕵️Threat Intelligence

1
Wiz
CVE-2025-62190 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-62190 — Cross-Site Request Forgery | cvebase