Session Fixation Vulnerability Affects Chatwoot Prior to 2.4.0

CVE-2021-3740

6.8MEDIUM

Key Information

Vendor: Chatwoot
Status: Chatwoot/chatwoot
Vendor: CVE Published:; 15 November 2024

Summary

A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token.

Affected Version(s)

chatwoot/chatwoot < 2.4.0

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Risk change from: null to: 6.8 - (MEDIUM)
Nov 15, 2024
Vulnerability published.
Nov 15, 2024
Vulnerability Reserved.
Aug 26, 2021

Collectors

NVD DatabaseMitre Database