A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new page, the custom JavaScript code is executed, leading to potential security risks.
History

Wed, 20 Nov 2024 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 19 Nov 2024 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Chatwoot
Chatwoot chatwoot
CPEs cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*
Vendors & Products Chatwoot
Chatwoot chatwoot
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}


Fri, 15 Nov 2024 11:00:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new page, the custom JavaScript code is executed, leading to potential security risks.
Title Stored Cross-site Scripting (XSS) in chatwoot/chatwoot
Weaknesses CWE-79
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-11-15T10:51:22.667Z

Updated: 2024-11-20T22:36:41.760Z

Reserved: 2021-08-26T20:25:04.202Z

Link: CVE-2021-3741

cve-icon Vulnrichment

Updated: 2024-11-20T22:36:36.698Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-15T11:15:05.327

Modified: 2024-11-19T17:07:38.267

Link: CVE-2021-3741

cve-icon Redhat

No data.