A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new page, the custom JavaScript code is executed, leading to potential security risks.
Metrics
Affected Vendors & Products
References
History
Wed, 20 Nov 2024 23:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 19 Nov 2024 17:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Chatwoot
Chatwoot chatwoot |
|
CPEs | cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:* | |
Vendors & Products |
Chatwoot
Chatwoot chatwoot |
|
Metrics |
cvssV3_1
|
Fri, 15 Nov 2024 11:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new page, the custom JavaScript code is executed, leading to potential security risks. | |
Title | Stored Cross-site Scripting (XSS) in chatwoot/chatwoot | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_0
|
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-11-15T10:51:22.667Z
Updated: 2024-11-20T22:36:41.760Z
Reserved: 2021-08-26T20:25:04.202Z
Link: CVE-2021-3741
Vulnrichment
Updated: 2024-11-20T22:36:36.698Z
NVD
Status : Analyzed
Published: 2024-11-15T11:15:05.327
Modified: 2024-11-19T17:07:38.267
Link: CVE-2021-3741
Redhat
No data.