CVE-2021-3742

CVSS V2 None CVSS V3 None

Description

A Server-Side Request Forgery (SSRF) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.5.0. The vulnerability allows an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an avatar and opened in a new tab, it can trigger the SSRF, potentially leading to host redirection.

Overview

CVE ID
CVE-2021-3742

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-11-15T10:51:25.968Z

Last Modified Date
2024-11-15T10:57:14.203Z

Weakness Enumerations

CWE	URL
CWE-918	http://cwe.mitre.org/data/definitions/918.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/1625472546121-chatwoot/chatwoot
https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2021-3742
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3742

History

Created	Old Value	New Value	Data Type	Notes
2024-11-16 12:05:08				Added to TrackCVE