Tawk.to Live Chat Widget Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Tawk.to chatbox widget version 4. This vulnerability allows attackers to execute arbitrary JavaScript in the context of the user's browser by injecting a crafted payload into a vulnerable parameter. The exploitation occurs on the employee side of the Live Chat Support.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected JavaScript is executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, first inspect the Tawk.to chat widget to confirm it is version 4. If it is, inject a simple payload, such as a link formatted to execute JavaScript, into a vulnerable parameter. Once the payload is injected, it will be executed when the employee interacts with the chatbox.