PT-2019-14883 · Enghouse · Enghouse Web Chat

Published

2019-11-13

Updated

2021-07-21

CVE-2019-16951

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Enghouse Web Chat version 6.2.284.34

Description A remote file include issue was discovered, allowing an attacker to replace the localhost attribute with their own domain name. After a POST request is sent, the product calls this domain, retrieving and displaying the attacker's data. The request sent from the product to the attacker reveals sensitive information, including pathnames and internal IP addresses.

Recommendations For Enghouse Web Chat version 6.2.284.34, consider restricting access to the localhost attribute to prevent replacement with an attacker's domain name. As a temporary workaround, restrict the product's ability to call external domains after a POST request is sent, until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-829

Related Identifiers

CVE-2019-16951

Affected Products

Enghouse Web Chat

PT-2019-14883 · Enghouse · Enghouse Web Chat

CVE-2019-16951

Weakness Enumeration

Related Identifiers

Affected Products

References · 3