Skip to main content

Chatwoot CVE-2022-3741

CRITICAL
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2022-10-28 security@huntr.dev
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 28, 2022 - 13:15 nvd
CRITICAL 9.8

DescriptionNVD

Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to identify the output Status Code to separate accounts that are generated and waiting for email verification. \n\nFor the sign in directories, it is possible to brute force login attempts to either login portal, which could lead to account compromise.

AnalysisAI

Impact varies for each individual vulnerability in the application. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-307. Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to identify the output Status Code to separate accounts that are generated and waiting for email verification. \n\nFor the sign in directories, it is possible to brute force login attempts to either login portal, which could lead to account compromise. Affected products include: Chatwoot.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2021-3649 HIGH POC
7.5 Jul 16

chatwoot is vulnerable to Inefficient Regular Expression Complexity. Rated high severity (CVSS 7.5), this vulnerability

CVE-2022-2901 HIGH POC
7.1 Sep 06

Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8. Rated high severity (CVSS 7.1), this vulnera

CVE-2022-0542 MEDIUM POC
6.1 Aug 19

Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.7.0. Rated medium severity (CVSS 6.1)

CVE-2022-1021 MEDIUM POC
5.4 Aug 19

Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0. Rated medium severity (

CVE-2022-1022 MEDIUM POC
5.4 Apr 21

Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0. Rated medium severity (CVSS 5

CVE-2024-0640 MEDIUM POC
4.8 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. Rated medium seve

CVE-2026-44706 HIGH
8.5 May 26

SQL injection in Chatwoot versions 2.2.0 through 4.11.1 allows any authenticated account user to execute arbitrary SQL v

CVE-2026-44707 MEDIUM
6.8 May 26

Pre-Account Takeover in Chatwoot's OmniAuth integration affects all releases from 2.14.0 through 4.12.x, allowing an att

CVE-2025-12246 LOW POC
2.1 Oct 27

Cross-site scripting (XSS) in Chatwoot up to version 4.7.0 allows remote attackers to inject malicious scripts via the L

CVE-2023-2109 MEDIUM
6.1 Apr 17

Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.14.0. Rated medium severity (CVSS 6.1

CVE-2026-4990 MEDIUM
5.5 Mar 27

Improper authorization in Chatwoot up to version 4.11.1 allows remote unauthenticated attackers to bypass authentication

CVE-2026-5205 LOW
2.1 Mar 31

Server-side request forgery (SSRF) in Chatwoot up to version 4.11.2 allows authenticated remote attackers to manipulate

Share

CVE-2022-3741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy