CVE-2022-3741 CRITICAL

CVE-2022-3741: Improper Restriction of Excessive Authentication Attempts in chatwoot/chatwoot

Vendor Chatwoot
Product chatwoot/chatwoot
Weakness CWE-307 · Brute force
Published October 28, 2022
Last update May 9, 2025

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to identify the output Status Code to separate accounts that are generated and waiting for email verification. \n\nFor the sign in directories, it is possible to brute force login attempts to either login portal, which could lead to account compromise.

Key dates

02Disclosure timeline

October 28, 2022 CVE published
May 9, 2025 Record updated

Related vulnerabilities

04Related CVE