CVE-2021-3740

A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c	Patch
https://huntr.com/bounties/1625470476437-chatwoot/chatwoot	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*

History

10 Jul 2025, 16:31

Type	Values Removed	Values Added
CPE		cpe:2.3:a:chatwoot:chatwoot::::::::
First Time		Chatwoot Chatwoot chatwoot
References	~~() https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c -~~	() https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c - Patch
References	~~() https://huntr.com/bounties/1625470476437-chatwoot/chatwoot -~~	() https://huntr.com/bounties/1625470476437-chatwoot/chatwoot - Broken Link

15 Nov 2024, 13:58

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de fijación de sesión en las versiones de chatwoot/chatwoot anteriores a la 2.4.0. La aplicación no invalida las sesiones existentes en otros dispositivos cuando un usuario cambia su contraseña, lo que permite que las sesiones antiguas persistan. Esto puede provocar un acceso no autorizado si un atacante ha obtenido un token de sesión.

15 Nov 2024, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-15 11:15

Updated : 2025-07-10 16:31

NVD link : CVE-2021-3740

Mitre link : CVE-2021-3740

CVE.ORG link : CVE-2021-3740

JSON object : View

Products Affected

chatwoot

chatwoot

CWE

CWE-384

Session Fixation

{"id": "CVE-2021-3740", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}]}, "published": "2024-11-15T11:15:04.987", "references": [{"url": "https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/1625470476437-chatwoot/chatwoot", "tags": ["Broken Link"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token."}, {"lang": "es", "value": "Existe una vulnerabilidad de fijaci\u00f3n de sesi\u00f3n en las versiones de chatwoot/chatwoot anteriores a la 2.4.0. La aplicaci\u00f3n no invalida las sesiones existentes en otros dispositivos cuando un usuario cambia su contrase\u00f1a, lo que permite que las sesiones antiguas persistan. Esto puede provocar un acceso no autorizado si un atacante ha obtenido un token de sesi\u00f3n."}], "lastModified": "2025-07-10T16:31:02.063", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E505E965-7648-4B41-A674-9E6ABB68D080", "versionEndExcluding": "2.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}

6.8 /10