NotChatbot WebChat Widget Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the NotChatbot WebChat widget, affecting versions through 1.4.4. The vulnerability arises because user input is not adequately sanitized before being saved and displayed in the chat conversation history. This flaw enables an attacker to inject arbitrary JavaScript, which executes when the chat history is accessed. The issue is present in multiple independent implementations of the widget, suggesting that it is a fundamental flaw in the product rather than a specific website configuration.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, potentially leading to session hijacking, information disclosure, and account takeover, depending on the application's context.

Reproduction

To reproduce this vulnerability, integrate the NotChatbot WebChat widget into a webpage using version 1.4.4. After sending a chat message that includes a JavaScript payload, the injected script will execute when the conversation is reloaded or viewed by another user.

Remediation

Users are advised to update to version 1.5.0 or later, where this vulnerability has been addressed.