{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T00:29:22.846","vulnerabilities":[{"cve":{"id":"CVE-2021-3741","sourceIdentifier":"security@huntr.dev","published":"2024-11-15T11:15:05.327","lastModified":"2024-11-19T17:07:38.267","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new page, the custom JavaScript code is executed, leading to potential security risks."},{"lang":"es","value":"Se descubrió una vulnerabilidad de cross-site scripting (XSS) almacenado en chatwoot/chatwoot, que afecta a todas las versiones anteriores a la 2.6. La vulnerabilidad se produce cuando un usuario carga un archivo SVG que contiene un payload XSS malicioso en la configuración del perfil. Cuando se abre el avatar en una página nueva, se ejecuta el código JavaScript personalizado, lo que genera posibles riesgos de seguridad."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}],"cvssMetricV30":[{"source":"security@huntr.dev","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":6.0}]},"weaknesses":[{"source":"security@huntr.dev","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*","versionEndExcluding":"2.6.0","matchCriteriaId":"63976EA8-9880-4802-8B08-9E2C679FF9F9"}]}]}],"references":[{"url":"https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c","source":"security@huntr.dev","tags":["Product"]},{"url":"https://huntr.com/bounties/1625474692857-chatwoot/chatwoot","source":"security@huntr.dev","tags":["Broken Link"]}]}}]}