CVE-2021-3742

A Server-Side Request Forgery (SSRF) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.5.0. The vulnerability allows an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an avatar and opened in a new tab, it can trigger the SSRF, potentially leading to host redirection.
Configurations

Configuration 1 (hide)

cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*

History

19 Nov 2024, 17:10

Type Values Removed Values Added
First Time Chatwoot
Chatwoot chatwoot
CVSS v2 : unknown
v3 : 7.9
v2 : unknown
v3 : 8.8
CPE cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*
References () https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c - () https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c - Product
References () https://huntr.com/bounties/1625472546121-chatwoot/chatwoot - () https://huntr.com/bounties/1625472546121-chatwoot/chatwoot - Broken Link

15 Nov 2024, 13:58

Type Values Removed Values Added
Summary
  • (es) Se descubrió una vulnerabilidad de Server-Side Request Forgery (SSRF) en chatwoot/chatwoot, que afecta a todas las versiones anteriores a la 2.5.0. La vulnerabilidad permite a un atacante cargar un archivo SVG que contiene un payload SSRF malicioso. Cuando el archivo SVG se utiliza como avatar y se abre en una nueva pestaña, puede activar la SSRF, lo que puede provocar una redirección del host.

15 Nov 2024, 11:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-15 11:15

Updated : 2024-11-19 17:10


NVD link : CVE-2021-3742

Mitre link : CVE-2021-3742

CVE.ORG link : CVE-2021-3742


JSON object : View

Products Affected

chatwoot

  • chatwoot
CWE
CWE-918

Server-Side Request Forgery (SSRF)