A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token.
Metrics
Affected Vendors & Products
References
History
Fri, 15 Nov 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Chatwoot
Chatwoot chatwoot |
|
CPEs | cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:* | |
Vendors & Products |
Chatwoot
Chatwoot chatwoot |
|
Metrics |
cvssV3_1
|
Fri, 15 Nov 2024 11:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token. | |
Title | Session Fixation in chatwoot/chatwoot | |
Weaknesses | CWE-384 | |
References |
| |
Metrics |
cvssV3_0
|
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-11-15T10:57:09.236Z
Updated: 2024-11-15T19:03:09.228Z
Reserved: 2021-08-26T19:47:16.009Z
Link: CVE-2021-3740
Vulnrichment
Updated: 2024-11-15T19:02:58.652Z
NVD
Status : Awaiting Analysis
Published: 2024-11-15T11:15:04.987
Modified: 2024-11-15T19:35:02.440
Link: CVE-2021-3740
Redhat
No data.