An issue exists in Mattermost Server prior to 2.1.0. It allows XSS via CSRF.
mattermost mattermost server