An issue exists in Mattermost Server prior to 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.
mattermost mattermost server