CVE-2019-16951

Name of the Vulnerable Software and Affected Versions Enghouse Web Chat version 6.2.284.34

Description A remote file include issue was discovered, allowing an attacker to replace the localhost attribute with their own domain name. After a POST request is sent, the product calls this domain, retrieving and displaying the attacker's data. The request sent from the product to the attacker reveals sensitive information, including pathnames and internal IP addresses.

Recommendations For Enghouse Web Chat version 6.2.284.34, consider restricting access to the localhost attribute to prevent replacement with an attacker's domain name. As a temporary workaround, restrict the product's ability to call external domains after a POST request is sent, until a patch is available.