CVE-2019-16949

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. A user is allowed to send an archive of their chat log to an email address specified at the beginning of the chat (where the user enters in their name and e-mail address). This POST request can be modified to change the message as well as the end recipient of the message. The e-mail address will have the same domain name and user as the product allotted. This can be used in phishing campaigns against users on the same domain.

Se descubrió un problema en Enghouse Web Chat versiones 6.1.300.31 y 6.2.284.34. Un usuario esta habilitado para enviar un archivo de su registro de chat a una dirección de correo electrónico especificada al comienzo del chat (donde el usuario ingresa su nombre y dirección de correo electrónico). Esta petición POST puede ser modificada para cambiar el mensaje y el destinatario final del mensaje. La dirección de correo electrónico tendrá el mismo nombre de dominio y usuario que el producto asignado. Esto puede ser usado en campañas de phishing contra usuarios en el mismo dominio.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-09-29 CVE Reserved
2019-11-13 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC
https://mjlanders.com/2019/11/07/multiple-vulnerabilities-found-in-enghouse-zeacom-web-chat	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Enghouse Search vendor "Enghouse"		Web Chat Search vendor "Enghouse" for product "Web Chat"				6.1.300.31 Search vendor "Enghouse" for product "Web Chat" and version "6.1.300.31"		-		Affected
Enghouse Search vendor "Enghouse"		Web Chat Search vendor "Enghouse" for product "Web Chat"				6.2.284.34 Search vendor "Enghouse" for product "Web Chat" and version "6.2.284.34"		-		Affected