3 matches found
CVE-2025-21628
Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of queryoperator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by addi...
CVE-2025-21628
creationtimestamp| type| source ---|---|--- 2025-01-09 17:19:11+00:00| seen| https://infosec.exchange/users/cve/statuses/113799538335498729 2025-01-09 18:15:55+00:00| seen| https://bsky.app/profile/cve-notifications.bsky.social/post/3lfdbw3cyen2i 2025-01-09 18:38:42+00:00| seen|...
CVE-2025-21628
CVE-2025-21628 affects Chatwoot (conversation and contact filters endpoints). Before version 3.16.0, user-provided query_operator input was not sanitized, enabling an authenticated actor to inject arbitrary SQL into the filter query (tautological WHERE clause). Impact is mitigated by upgrading to...