5 matches found
CVE-2020-13972
CVE-2020-13972 in Enghouse Web Chat 6.2.284.34 is an XSS vulnerability triggered when a user supplies their own domain in the WebServiceLocation parameter; the POST response can display external JavaScript from a attacker-controlled server. This entry is tied to CVE-2019-16951, which Red Hat and ...
CVE-2019-16949
Enghouse Web Chat 6.1.300.31 and 6.2.284.34 contain an issue where a user can abuse a chat-log archive sending feature. A POST request at chat start allows altering the message and the end recipient’s address, which will share the log with an address having the same domain/user as the product all...
CVE-2019-16948
CVE-2019-16948 is an SSRF vulnerability in Enghouse Web Chat 6.1.300.31. In any POST request, an attacker can replace the port in WebServiceLocation=http://localhost:8085/UCWebServices/ with a range of ports to infer what is visible on the internal network, as the response differs between open an...
CVE-2019-16950
CVE-2019-16950 affects Enghouse Web Chat versions 6.1.300.31 and 6.2.284.34. The issue is an XSS where the QueueName parameter of a GET request allows insertion of user-supplied JavaScript due to insufficient input validation. Red Hat and CNVD entries corroborate a cross-site scripting vulnerabil...
CVE-2019-16951
Enghouse Web Chat 6.2.284.34 is affected by a remote file include (RFI) vulnerability (CVE-2019-16951). The issue allows an attacker to substitute the localhost attribute with an attacker-controlled domain; after a POST, the product calls that domain and may return data that reveals sensitive inf...