exploitDog

CVE-2024-0640

Опубликовано: 20 мар. 2025

Источник: nvd

CVSS3: 5.6

CVSS3: 4.8

EPSS Низкий

Описание

A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboard app. The issue is fixed in version 3.5.2.

Ссылки

https://github.com/chatwoot/chatwoot/commit/e39c14460b860d5e3d23d989dd6af48404ad1bb4
Patch
https://huntr.com/bounties/08b3bebf-ce3c-4416-b75e-1927ba61de85
Exploit
Issue Tracking
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*

Версия до 3.5.2 (исключая)

EPSS

Процентиль: 18%

0.00056

Низкий

5.6 Medium

CVSS3

4.8 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-8gfh-hxjj-c33j

CVSS3: 5.6

github

11 месяцев назад

A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboard app. The issue is fixed in version 3.5.2.

EPSS

Процентиль: 18%

0.00056

Низкий

5.6 Medium

CVSS3

4.8 Medium

CVSS3

Дефекты

CWE-79