CVE-2021-3741 – This stored XSS vulnerability in Chatwoot allow... (How to Fix)

Q: What is the severity of CVE-2021-3741?

CVE-2021-3741 has a CVSS score of 5.4 (MEDIUM). This stored XSS vulnerability in Chatwoot allows attackers to upload malicious SVG files containing JavaScript payloads via profile settings. When victims view these avatars in a new page, the malicious code executes in their browser context. All Chatwoot users running versions before 2.6 are affected.

📋 TL;DR

This stored XSS vulnerability in Chatwoot allows attackers to upload malicious SVG files containing JavaScript payloads via profile settings. When victims view these avatars in a new page, the malicious code executes in their browser context. All Chatwoot users running versions before 2.6 are affected.

💻 Affected Systems

Products:

chatwoot/chatwoot

Versions: All versions prior to 2.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments where user avatar uploads are enabled in profile settings.

📦 What is this software?

Chatwoot by Chatwoot

View all CVEs affecting Chatwoot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts and data.

🟠

Likely Case

Attackers steal session tokens to hijack user accounts, potentially accessing sensitive chat data and performing unauthorized actions.

🟢

If Mitigated

With proper input validation and Content Security Policy, the risk is limited to isolated avatar viewing sessions with minimal impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access to upload profile avatars. The vulnerability is well-documented with public proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.0

Vendor Advisory: https://github.com/chatwoot/chatwoot/commit/6fdd4a29969be8423f31890b807d27d13627c50c

Restart Required: Yes

Instructions:

1. Update Chatwoot to version 2.6.0 or later. 2. Restart the Chatwoot application. 3. Verify the fix by checking the version and testing SVG uploads.

🔧 Temporary Workarounds

Disable SVG uploads

all

Configure Chatwoot to reject SVG file uploads in profile avatar settings

Modify Chatwoot configuration to restrict allowed file types for avatars

Implement Content Security Policy

all

Add CSP headers to prevent inline script execution from SVG files

Add 'Content-Security-Policy: script-src 'self'' header to web server configuration

🧯 If You Can't Patch

Restrict user permissions to prevent unauthorized users from uploading profile avatars
Implement web application firewall rules to block SVG files containing JavaScript payloads

🔍 How to Verify

Check if Vulnerable:

Check if Chatwoot version is below 2.6.0 and test by uploading an SVG file with simple JavaScript payload in profile avatar.

Check Version:

Check Chatwoot dashboard or run: docker exec chatwoot bundle exec rails -v | grep chatwoot

Verify Fix Applied:

After updating to 2.6.0+, attempt to upload an SVG with JavaScript payload - it should be sanitized or rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads in profile settings
Multiple failed SVG upload attempts
User accounts uploading unusually large avatar files

Network Indicators:

HTTP requests for SVG files with suspicious parameter names
Outbound connections from avatar viewing pages to unknown domains

SIEM Query:

source="chatwoot" AND (file_extension="svg" OR file_type="image/svg+xml") AND user_action="upload"

📊 Metadata

CVE ID: CVE-2021-3741

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: November 15, 2024

Last Updated: November 19, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3741, you might also want to check these: