- Description
- An issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. A user is allowed to send an archive of their chat log to an email address specified at the beginning of the chat (where the user enters in their name and e-mail address). This POST request can be modified to change the message as well as the end recipient of the message. The e-mail address will have the same domain name and user as the product allotted. This can be used in phishing campaigns against users on the same domain.
- Source
- cve@mitre.org
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Primary
- Base score
- 4
- Impact score
- 2.9
- Exploitability score
- 8
- Vector string
- AV:N/AC:L/Au:S/C:N/I:P/A:N
- nvd@nist.gov
- CWE-20
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:enghouse:web_chat:6.1.300.31:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "ADECAF52-1FE4-4CB5-8128-0855A26B4424"
},
{
"criteria": "cpe:2.3:a:enghouse:web_chat:6.2.284.34:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "77214FC3-B6F4-4DB5-82E8-4198005F8C43"
}
],
"operator": "OR"
}
]
}
]