Timhaines

**Name of the Vulnerable Software and Affected Versions** Chatwoot versions 2.2.0 through 4.11.1 **Description** An issue exists in the conversation and contact filter APIs where user-supplied values in the `values` field of the filter payload are interpolated directly into SQL queries without parameterization when filtering by custom attributes of type date or number using the `is greater than` or `is less than` operators. This allows an authenticated user with account access to execute arbitrary SQL via time-based blind injection. Affected endpoints include '/api/v1/accounts/{account id}/conversations/filter', '/api/v1/accounts/{account id}/contacts/filter', and '/api/v1/accounts/{account id}/custom attribute definitions'. **Recommendations** Update to version 4.11.2.