Session Fixation Vulnerability Affects Chatwoot Prior to 2.4.0
CVE-2021-3740
6.8MEDIUM
Key Information
- Vendor
- Chatwoot
- Status
- Chatwoot/chatwoot
- Vendor
- CVE Published:
- 15 November 2024
Summary
A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token.
Affected Version(s)
chatwoot/chatwoot < 2.4.0
References
CVSS V3.1
Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database