CVE-2021-3741

Name of the Vulnerable Software and Affected Versions chatwoot/chatwoot versions prior to 2.6

Description A stored cross-site scripting (XSS) vulnerability was discovered, affecting the profile settings when a user uploads an SVG file containing a malicious XSS payload. When the avatar is opened in a new page, the custom JavaScript code is executed, leading to potential security risks.

Recommendations For versions prior to 2.6, update to the latest release to mitigate risks. As a temporary workaround, consider restricting the upload of SVG files in the profile settings until the issue is resolved.