CVE-2021-3740 Information

Description

A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token.

Reference

https://huntr.com/bounties/1625470476437-chatwoot/chatwoot https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c