Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Chatwoot has a Blind SQL-injection in Conversation and Contacts filters
Vulnerability Description
Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. This issue is patched with v3.16.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
Chatwoot SQL注入漏洞
Vulnerability Description
Chatwoot是Chatwoot开源的一个应用软件。客户参与套件,对讲、Zendesk、Salesforce 服务云等的开源替代方案。 Chatwoot 3.16.0之前版本存在SQL注入漏洞,该漏洞源于输入清理不当,攻击者可以通过添加重复的WHERE子句在过滤器查询中运行任意SQL。
CVSS Information
N/A
Vulnerability Type
N/A