CVE Vulnerability

CVE-2019-16949

An issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. A user is allowed to send an archive of their chat log to an email address specified at the beginning of the chat (where the user enters in their name and e-mail address). This POST request can be modified to change the message as well as the end recipient of the message. The e-mail address will have the same domain name and user as the product allotted. This can be used in phishing campaigns against users on the same domain.

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://mjlanders.com/2019/11/07/multiple-vulnerabilities-found-in-enghouse-zeacom-web-chat/ Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:enghouse:web_chat:6.1.300.31:*:*:*:*:*:*:*
cpe:2.3:a:enghouse:web_chat:6.2.284.34:*:*:*:*:*:*:*
Information

Published : 2019-11-13 06:15

Updated : 2019-11-15 07:09

NVD link : CVE-2019-16949

Mitre link : CVE-2019-16949

Products Affected
No products.
CWE
CWE-20