CVE-2019-16948

Name of the Vulnerable Software and Affected Versions Enghouse Web Chat version 6.1.300.31

Description A Server-Side Request Forgery (SSRF) issue allows an attacker to determine what is visible on the internal network by replacing the port number in the WebServiceLocation parameter of a POST request. The response from open ports differs from that of closed ports, enabling the attacker to identify open ports. The product only allows HTTP or HTTPS protocols, and any other protocol will result in an error that can be used to determine if a port is open.

Recommendations For Enghouse Web Chat version 6.1.300.31, consider restricting access to the WebServiceLocation parameter to minimize the risk of exploitation. As a temporary workaround, restrict the ability to modify the port number in the WebServiceLocation parameter to prevent internal network scanning. At the moment, there is no information about a newer version that contains a fix for this vulnerability.