Cross-Site Scripting (XSS) stored in Tawk Live Chat
Live Chat
INCIBE has coordinated the publication of a medium-severity vulnerability affecting Live Chat Tawk, a free customer service tool. The vulnerability was discovered by José Manuel Jerónimo Rodríguez.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-8349: CVSS v4.0: 5.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. | CWE-79
No solution has been reported at this time.
CVE-2025-8349: Cross-site Scripting (XSS) stored vulnerability in Tawk Live Chat. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by uploading a malicious PDF with JavaScript payload through the chatbot. The PDF is stored by the application and subsequently displayed without proper sanitisation when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
