Description

Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. This issue is patched with v3.16.0.

INFO

Published Date :

2025-01-09T17:10:05.301Z

Last Modified :

2025-01-09T18:10:11.074Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-21628 vulnerability.

Vendors Products
Chatwoot
  • Chatwoot
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-21628.

URL Resource
https://github.com/chatwoot/chatwoot/commit/b34dac7bbe3c910186083b680e51aad5ea60b44b cve-icon cve-icon
https://github.com/chatwoot/chatwoot/security/advisories/GHSA-g8f9-hh83-rcq9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact