Chatwoot Vulnerability Could Lead to Security Risks

CVE-2021-3741

5.4MEDIUM

Key Information

Vendor: Chatwoot
Status: Chatwoot/chatwoot
Vendor: CVE Published:; 15 November 2024

Summary

A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new page, the custom JavaScript code is executed, leading to potential security risks.

Affected Version(s)

chatwoot/chatwoot < 2.6

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Risk change from: 5.4 to: 7.8 - (HIGH)
Nov 20, 2024
Risk change from: null to: 7.8 - (HIGH)
Nov 15, 2024
Vulnerability published.
Nov 15, 2024
Vulnerability Reserved.
Aug 26, 2021

Collectors

NVD DatabaseMitre Database