- Description
- A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelper.js of the component Widget. The manipulation of the argument baseUrl leads to origin validation error. Remote exploitation of the attack is possible. The vendor was contacted early about this disclosure but did not respond in any way.
- Source
- cna@vuldb.com
- NVD status
- Analyzed
- Products
- chatwoot
CVSS 4.0
- Type
- Secondary
- Base score
- 5.5
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 5.3
- Impact score
- 1.4
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Secondary
- Base score
- 5
- Impact score
- 2.9
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:N/A:N
- cna@vuldb.com
- CWE-345
- Hype score
- Not currently trending
🚨 CVE-2025-12245: Chatwoot widget trusts any origin, letting attackers steal cw_conversation tokens and read chat history remotely. Update above 4.7.0 or harden origin checks. More details ➡️ https://t.co/1AdA2P7MJ6 #Chatwoot #infosec #AppSec
@VolerionSec
27 Oct 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-12245 A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelp… https://t.co/NA01VYbA7i
@CVEnew
27 Oct 2025
317 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64647564-7997-4E77-AE41-FA0698414129",
"versionEndIncluding": "4.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]