Web Chat
CVE-2019-16949
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
An issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. A user is allowed to send an archive of their chat log to an email address specified at the beginning of the chat (where the user enters in their name and e-mail address). This POST request can be modified to change the message as well as the end recipient of the message. The e-mail address will have the same domain name and user as the product allotted. This can be used in phishing campaigns against users on the same domain.
AnalysisAI
An issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-20. An issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. A user is allowed to send an archive of their chat log to an email address specified at the beginning of the chat (where the user enters in their name and e-mail address). This POST request can be modified to change the message as well as the end recipient of the message. The e-mail address will have the same domain name and user as the product allotted. This can be used in phishing campaigns against users on the same domain. Affected products include: Enghouse Web Chat.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
An SSRF issue was discovered in Enghouse Web Chat 6.1.300.31. Rated critical severity (CVSS 9.8), this vulnerability is
Enghouse Web Chat 6.2.284.34 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, n
An XSS issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. Rated medium severity (CVSS 6.1), this vulne
A remote file include (RFI) issue was discovered in Enghouse Web Chat 6.2.284.34. Rated medium severity (CVSS 5.3), this
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today