TawkTo Widget Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in TawkTo Widget versions through 1.3.7. This issue arises from the widget's handling of user input, which allows for the execution of JavaScript. The vulnerability can be exploited by injecting JavaScript into user input that is not properly sanitized before being processed.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious JavaScript that is executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to the TawkTo upload endpoint for visitor chat. Include a crafted file in the upload field that contains JavaScript execution payload, such as an image file with an 'onerror' event handler. The request must be made from a cross-site origin to bypass same-origin policies.