Mattermost
Moderate fix5 remedies
cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*
Moderate fix5 remedies
- >= 11.0, <= 11.0.4
- >= 10.12, <= 10.12.2
- >= 10.11, <= 10.11.6
Mattermost and Mattermost Calls Cross-Site Request Forgery Vulnerability in Calls Widget
Vulnerability
Patched
A cross-site request forgery (CSRF) vulnerability has been identified in Mattermost versions 11.0.x prior to 11.0.4, 10.12.x prior to 10.12.2, 10.11.x prior to 10.11.6, and Mattermost Calls versions prior to 1.10.0. The vulnerability arises from the lack of CSRF protection on the Calls widget page, allowing an authenticated attacker to initiate calls and inject messages into channels or direct messages through a malicious webpage or crafted link.
Impact
Exploitation of this vulnerability could lead to unauthorized initiation of calls and injection of messages into channels or direct messages, potentially disrupting communication or causing confusion among users.
Remediation
Users can upgrade to Mattermost versions 11.1.0, 10.12.3, or 10.11.7. For Mattermost Calls, version 1.10.0 or later should be installed.
Added: Dec 17, 2025, 1:19 PM
Updated: Dec 17, 2025, 1:19 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
0.6exploitability
5.0remediation
7.7relevance
1.4threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.