Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stored XSS executes in support agent's browser (scope change S:C); no privileges or special conditions required beyond initiating a public chat session.
Primary rating from Vendor (INCIBE).
CVSS VectorVendor: INCIBE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Stored Cross-Site Scripting (XSS) vulnerability in the RD Station Conversas chat. The vulnerability resides in the ‘name’ parameter of the initialization process due to improper sanitization of user input. The vulnerability is not limited to self-exploitation: when a support agent joins the conversation, the malicious script also executes in their browser, increasing the impact. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code within the context of the application.
AnalysisAI
Stored XSS in Tallos Chat (RD Station Conversas) allows unauthenticated attackers to inject persistent malicious JavaScript via the 'name' parameter during chat session initialization. The payload executes not only in the initiating visitor's browser but also in the browser of any support agent who joins the conversation, expanding the attack surface to privileged operator sessions within the platform. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to initiate a new Tallos Chat session via the publicly accessible chat widget, which the CVSS vector (PR:N) indicates requires no authentication. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.1 (Medium, vector AV:N/AC:L/AT:N/PR:N/UI:A) reflects that exploitation requires no privileges and is network-accessible, but mandates active user interaction (UI:A) - specifically, a support agent joining the chat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker visits a business's website and initiates a Tallos Chat session, entering a JavaScript payload such as a cookie-stealing script as their display name. The payload is stored by the chat backend and renders silently. … |
| Remediation | No vendor-released patch or specific fixed version has been independently confirmed from the available data; organizations should contact RD Station Conversas directly and monitor the INCIBE advisory for patch release information: https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-tallos-chat-rd-station-conversas. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43337