Session Fixation Vulnerability Affects Chatwoot Prior to 2.4.0

CVE-2021-3740

6.8MEDIUM

Key Information

Vendor
Chatwoot
Status
Chatwoot/chatwoot
Vendor
CVE Published:
15 November 2024

Summary

A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token.

Affected Version(s)

chatwoot/chatwoot < 2.4.0

References

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.