A Server-Side Request Forgery (SSRF) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.5.0. The vulnerability allows an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an avatar and opened in a new tab, it can trigger the SSRF, potentially leading to host redirection.
References
Configurations
History
19 Nov 2024, 17:10
Type | Values Removed | Values Added |
---|---|---|
First Time |
Chatwoot
Chatwoot chatwoot |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
CPE | cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:* | |
References | () https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c - Product | |
References | () https://huntr.com/bounties/1625472546121-chatwoot/chatwoot - Broken Link |
15 Nov 2024, 13:58
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
15 Nov 2024, 11:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-11-15 11:15
Updated : 2024-11-19 17:10
NVD link : CVE-2021-3742
Mitre link : CVE-2021-3742
CVE.ORG link : CVE-2021-3742
JSON object : View
Products Affected
chatwoot
- chatwoot
CWE
CWE-918
Server-Side Request Forgery (SSRF)