Chatwoot
Monthly
Pre-Account Takeover in Chatwoot's OmniAuth integration affects all releases from 2.14.0 through 4.12.x, allowing an attacker who pre-registers a victim's email address to retain persistent login access after the legitimate owner authenticates via Google OAuth. The OAuth callback controller failed to invalidate attacker-set password credentials when confirming a pre-existing unconfirmed account, leaving the attacker's session viable indefinitely. No public exploit identified at time of analysis and EPSS is 0.04% (12th percentile), consistent with SSVC's 'Exploitation: none' finding, though SSVC rates technical impact as 'total' given the attacker gains full workspace access including PII, API keys, and conversation history.
SQL injection in Chatwoot versions 2.2.0 through 4.11.1 allows any authenticated account user to execute arbitrary SQL via time-based blind injection by abusing unparameterized values in custom-attribute filter operators on the conversation, contact, and custom attribute definition APIs. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%, 8th percentile), but CVSS 8.5 with scope-changed confidentiality impact reflects the ability to read data beyond the attacker's account boundary. The vulnerability is fixed in Chatwoot 4.11.2.
Server-side request forgery (SSRF) in Chatwoot up to version 4.11.2 allows authenticated remote attackers to manipulate the URL argument in the Webhooks::Trigger function, enabling arbitrary HTTP requests from the server. Publicly available exploit code exists, and the vendor has not responded to disclosure efforts. While CVSS is moderate (5.3), the presence of public POC and authenticated attack vector creates a meaningful exploitation risk for deployed instances.
Improper authorization in Chatwoot up to version 4.11.1 allows remote unauthenticated attackers to bypass authentication via the signupEnabled parameter in the /app/login endpoint's Signup Endpoint component. The vulnerability enables attackers to manipulate signup authorization controls by setting signupEnabled to true, resulting in unauthorized access. Publicly available exploit code exists, and the vendor did not respond to early disclosure notification.
Cross-site scripting (XSS) in Chatwoot up to version 4.7.0 allows remote attackers to inject malicious scripts via the Link argument in the IframeLoader.vue Admin Interface component, requiring user interaction to trigger. The vulnerability has a low CVSS score (2.1) and EPSS percentile (10%) but publicly available exploit code exists, indicating the attack is straightforward to execute once a victim clicks a crafted link.
A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Chatwoot is a customer engagement suite. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
Pre-Account Takeover in Chatwoot's OmniAuth integration affects all releases from 2.14.0 through 4.12.x, allowing an attacker who pre-registers a victim's email address to retain persistent login access after the legitimate owner authenticates via Google OAuth. The OAuth callback controller failed to invalidate attacker-set password credentials when confirming a pre-existing unconfirmed account, leaving the attacker's session viable indefinitely. No public exploit identified at time of analysis and EPSS is 0.04% (12th percentile), consistent with SSVC's 'Exploitation: none' finding, though SSVC rates technical impact as 'total' given the attacker gains full workspace access including PII, API keys, and conversation history.
SQL injection in Chatwoot versions 2.2.0 through 4.11.1 allows any authenticated account user to execute arbitrary SQL via time-based blind injection by abusing unparameterized values in custom-attribute filter operators on the conversation, contact, and custom attribute definition APIs. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%, 8th percentile), but CVSS 8.5 with scope-changed confidentiality impact reflects the ability to read data beyond the attacker's account boundary. The vulnerability is fixed in Chatwoot 4.11.2.
Server-side request forgery (SSRF) in Chatwoot up to version 4.11.2 allows authenticated remote attackers to manipulate the URL argument in the Webhooks::Trigger function, enabling arbitrary HTTP requests from the server. Publicly available exploit code exists, and the vendor has not responded to disclosure efforts. While CVSS is moderate (5.3), the presence of public POC and authenticated attack vector creates a meaningful exploitation risk for deployed instances.
Improper authorization in Chatwoot up to version 4.11.1 allows remote unauthenticated attackers to bypass authentication via the signupEnabled parameter in the /app/login endpoint's Signup Endpoint component. The vulnerability enables attackers to manipulate signup authorization controls by setting signupEnabled to true, resulting in unauthorized access. Publicly available exploit code exists, and the vendor did not respond to early disclosure notification.
Cross-site scripting (XSS) in Chatwoot up to version 4.7.0 allows remote attackers to inject malicious scripts via the Link argument in the IframeLoader.vue Admin Interface component, requiring user interaction to trigger. The vulnerability has a low CVSS score (2.1) and EPSS percentile (10%) but publicly available exploit code exists, indicating the attack is straightforward to execute once a victim clicks a crafted link.
A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Chatwoot is a customer engagement suite. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.