CVE-2024-0640 MEDIUM

CVE-2024-0640: Stored XSS in chatwoot/chatwoot

Vendor Chatwoot
Product chatwoot/chatwoot
Weakness CWE-79 · XSS
Published March 20, 2025
Last update March 20, 2025

CVSS base score

5.6/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboard app. The issue is fixed in version 3.5.2.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated

Related vulnerabilities

04Related CVE