CVE-2022-2901 : Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8.

Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8.

Published 2022-09-06 10:15:09

Updated 2022-09-13 12:46:55

Source huntr.dev

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2022-2901

Chatwoot » Chatwoot
Versions before (<) 2.8.0
cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 17 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.6	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N	2.3	4.7	huntr.dev
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Changed Confidentiality: Low Integrity: High Availability: None
7.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N	2.8	4.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: High Availability: None

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: security@huntr.dev (Primary)

https://github.com/chatwoot/chatwoot/commit/329e8c37c8ebc1b3629c0c3830b0e3070a3adc2a

fix: Validations for updating team members (#5384) · chatwoot/chatwoot@329e8c3 · GitHub
Patch;Third Party Advisory
https://huntr.dev/bounties/cf46e0a6-f1b5-4959-a952-be9e4bac03fe

Improper Authorization lead a user add an arbitrary agent into Team vulnerability found in chatwoot
Exploit;Issue Tracking;Patch;Third Party Advisory

Jump to