VYPR
Unrated severityOSV Advisory· Published Jan 9, 2025· Updated Jan 9, 2025

Chatwoot has a Blind SQL-injection in Conversation and Contacts filters

CVE-2025-21628

Description

Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. This issue is patched with v3.16.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Chatwoot/ChatwootOSV2 versions
    2.16.1, v2.17.0, v2.17.1, …+ 1 more
    • (no CPE)range: 2.16.1, v2.17.0, v2.17.1, …
    • (no CPE)range: <3.16.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.