A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token.
History

Fri, 15 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Chatwoot
Chatwoot chatwoot
CPEs cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*
Vendors & Products Chatwoot
Chatwoot chatwoot
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 15 Nov 2024 11:15:00 +0000

Type Values Removed Values Added
Description A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token.
Title Session Fixation in chatwoot/chatwoot
Weaknesses CWE-384
References
Metrics cvssV3_0

{'score': 6.8, 'vector': 'CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-11-15T10:57:09.236Z

Updated: 2024-11-15T19:03:09.228Z

Reserved: 2021-08-26T19:47:16.009Z

Link: CVE-2021-3740

cve-icon Vulnrichment

Updated: 2024-11-15T19:02:58.652Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-15T11:15:04.987

Modified: 2024-11-15T19:35:02.440

Link: CVE-2021-3740

cve-icon Redhat

No data.