CVE-2021-3741 HIGH

CVE-2021-3741: Stored Cross-site Scripting (XSS) in chatwoot/chatwoot

Vendor Chatwoot

Product chatwoot/chatwoot

Weakness CWE-79 · XSS

Published November 15, 2024

Last update November 20, 2024

View on NVD All CVEs

CVSS base score

7.8/10

Attack vector Adjacent

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new page, the custom JavaScript code is executed, leading to potential security risks.

Key dates

02Disclosure timeline

November 15, 2024 CVE published

November 20, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-3741 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2021-24365 Admin Columns Free (< 4.3.2) & Pro (< 5.5.2) - Authenticated Stored Cross-Site Scripting (XSS) in Custom Field CVE-2024-2087 Brizy – Page Builder <= 2.4.43 - Unauthenticated Stored Cross-Site Scripting via Form CVE-2023-1146 Cross-site Scripting (XSS) - Generic in flatpressblog/flatpress CVE-2025-2483 Gift Certificate Creator <= 1.1.0 - Reflected Cross-Site Scripting via receip_address Parameter CVE-2025-12090 Employee Spotlight – Team Member Showcase & Meet the Team Plugin <= 5.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting