Home > Vulnerability Database > CVE-2024-0640

Mend.io Vulnerability Database

CVE-2024-0640

Good to know:

Date: March 20, 2025

A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboard app. The issue is fixed in version 3.5.2.

Severity Score

5.6

Related Resources (4)

Url: https://github.com/chatwoot/chatwoot/commit/e39c14460b860d5e3d23d989dd6af48404ad1bb4

Url: https://huntr.com/bounties/08b3bebf-ce3c-4416-b75e-1927ba61de85

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-0640

Url: https://www.mend.io/vulnerability-database/CVE-2024-0640

Severity Score

5.6

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version https://github.com/chatwoot/chatwoot.git - v3.5.2

Learn More

CVSS v3.1

Base Score:	5.6
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-0640

Good to know:

Date: March 20, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?