CVE-2024-0640

4.8 MEDIUM
Published: March 20, 2025 Modified: October 28, 2025
View on NVD

Description

A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboard app. The issue is fixed in version 3.5.2.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/chatwoot/chatwoot/commit/e39c14460b860d5e3d23d989dd6af48404ad1bb4
Source: security@huntr.dev
Patch
https://huntr.com/bounties/08b3bebf-ce3c-4416-b75e-1927ba61de85
Source: security@huntr.dev
Exploit Issue Tracking Patch Third Party Advisory

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.8 / 10.0
EPSS (Exploit Probability)
0.0%
15th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

chatwoot

Related CVEs

CVE-2025-69261 N/A
CVE-2025-69257 6.7
CVE-2025-69210 N/A
CVE-2025-66823 N/A
CVE-2025-50343 N/A