CVE-2016-11084
Description
An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | < 2.1.0 | 2.1.0 |
Affected products
3- Mattermost/Serverdescription
- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 2.1.0+ 1 more
- (no CPE)range: < 2.1.0
- (no CPE)range: < 0.0.20251105T184115-1.1
Patches
Vulnerability mechanics
Root cause
"Missing CSRF protections allow an attacker to forge authenticated requests, which can then inject unneutralized input leading to stored XSS."
Attack vector
An attacker crafts a malicious web page that, when visited by an authenticated Mattermost user, triggers a cross-site request forgery (CSRF) [CWE-352] against the Mattermost server. Because the server lacks CSRF protections, the forged request is processed as if it came from the legitimate user. The attacker then injects JavaScript into a page served to other users, resulting in stored cross-site scripting (XSS) [CWE-79]. The attack requires the victim to be logged into Mattermost and to visit the attacker-controlled page.
Affected code
The patch only updates the Dockerfile to reference the final 2.1.0 release tarball instead of an RC2 build. No source-code diff is provided, so the exact vulnerable functions are not visible in this bundle. The advisory indicates the vulnerability existed in Mattermost Server before 2.1.0.
What the fix does
The patch [patch_id=2247338] only updates the Dockerfile to pull the final 2.1.0 release tarball instead of an RC2 build. No source-code changes are shown in this bundle, so the specific fix for the CSRF-to-XSS issue is not visible. The advisory states the vulnerability is resolved in Mattermost Server 2.1.0, implying that CSRF protections and/or output sanitization were added in that release.
Preconditions
- inputThe attacker must craft a malicious page that the victim visits while authenticated to the Mattermost server.
- authThe victim must have an active session on the Mattermost server.
- configThe Mattermost server must be version 2.1.0-rc2 or earlier (before the fix).
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-vw57-55f8-c73qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-11084ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
- mattermost.com/security-updates/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.