ChatterMate Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in ChatterMate versions 1.0.8 and prior. The issue arises because the chatbot framework accepts and executes harmful HTML and JavaScript payloads embedded in chat messages. Notably, an iframe containing a JavaScript URI can be executed in the browser context, potentially accessing sensitive client-side information such as localStorage tokens and cookies. This vulnerability has been addressed in version 1.0.9.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.
Reproduction
To reproduce this vulnerability, send a chat message containing an iframe payload with a JavaScript URI, such as one that alerts localStorage tokens and cookies. This will demonstrate the stored cross-site scripting by executing the JavaScript in the browser context.
Remediation
Users can upgrade to ChatterMate version 1.0.9 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.