CVE-2021-3741

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2021-3741
A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new page, the custom JavaScript code is executed, leading to potential security risks.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c Product
https://huntr.com/bounties/1625474692857-chatwoot/chatwoot Broken Link
Configurations

Configuration 1 (hide)

cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*
History

19 Nov 2024, 17:07

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.8 		v2 : unknown
v3 : 5.4
CPE cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*
References () https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c - () https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c - Product
References () https://huntr.com/bounties/1625474692857-chatwoot/chatwoot - () https://huntr.com/bounties/1625474692857-chatwoot/chatwoot - Broken Link
First Time Chatwoot
Chatwoot chatwoot

15 Nov 2024, 13:58

Type Values Removed Values Added
Summary
  • (es) Se descubrió una vulnerabilidad de cross-site scripting (XSS) almacenado en chatwoot/chatwoot, que afecta a todas las versiones anteriores a la 2.6. La vulnerabilidad se produce cuando un usuario carga un archivo SVG que contiene un payload XSS malicioso en la configuración del perfil. Cuando se abre el avatar en una página nueva, se ejecuta el código JavaScript personalizado, lo que genera posibles riesgos de seguridad.

15 Nov 2024, 11:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-11-15 11:15

Updated : 2024-11-19 17:07

NVD link : CVE-2021-3741

Mitre link : CVE-2021-3741

CVE.ORG link : CVE-2021-3741

JSON object : View

Products Affected

chatwoot

  • chatwoot
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024