CVE-2021-3742

Name of the Vulnerable Software and Affected Versions chatwoot/chatwoot versions prior to 2.5.0

Description A Server-Side Request Forgery (SSRF) vulnerability was discovered, allowing an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an avatar and opened in a new tab, it can trigger the SSRF, potentially leading to host redirection.

Recommendations For versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. As a temporary workaround, consider restricting the upload of SVG files or disabling the use of avatars until a patch is applied. Avoid using potentially malicious SVG files as avatars to minimize the risk of exploitation.