CVE-2025-24735 is a medium severity vulnerability classified as CWE-79, indicating an improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the Chatra Live Chat + ChatBot + Cart Saver product, specifically versions up to 1.0.11. The flaw allows an attacker to inject malicious scripts that are stored and later executed in the context of users visiting the affected web pages. The vulnerability is characterized as a Stored XSS, which is more dangerous than reflected XSS because the malicious payload is saved on the server and delivered to multiple users without requiring repeated injection. The CVSS v3.1 score is 5.9 (medium), with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L, indicating that the attack can be performed remotely over the network with low attack complexity but requires high privileges and user interaction. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability at a low level, as the attacker can execute scripts that may steal session tokens, manipulate page content, or cause denial of service. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability was reserved in January 2025 and published in July 2025. The root cause is insufficient input sanitization or output encoding during dynamic web page generation, allowing malicious JavaScript code to be stored and executed in users' browsers.

For European organizations using Chatra Live Chat + ChatBot + Cart Saver, this vulnerability poses a risk of session hijacking, data theft, and potential manipulation of customer interactions on websites. Since live chat tools often handle sensitive customer data and facilitate real-time communication, exploitation could lead to unauthorized access to personal information or credentials. The stored XSS can also be used to deliver malware or phishing content to users, damaging brand reputation and customer trust. Additionally, the scope change in the vulnerability vector suggests that the impact could extend beyond the immediate application, potentially affecting other integrated systems or services. Given the medium severity and the requirement for high privileges and user interaction, the threat is more significant in environments where multiple users have elevated access or where attackers have already compromised some user accounts. The lack of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks, especially in sectors with high customer interaction such as e-commerce, finance, and public services.

European organizations should prioritize the following specific actions: 1) Immediately audit and monitor all instances of Chatra Live Chat + ChatBot + Cart Saver for signs of suspicious script injections or anomalous chat content. 2) Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 3) Enforce input validation and output encoding on all user-generated content within the chat application, even if patches are pending. 4) Limit the number of users with high privileges who can input or approve chat content to reduce the risk of exploitation. 5) Regularly update and patch the Chatra product as soon as official fixes become available. 6) Educate users and administrators about the risks of clicking on suspicious links or executing unknown scripts within chat interfaces. 7) Consider deploying Web Application Firewalls (WAF) with rules tuned to detect and block XSS payloads targeting Chatra components. 8) Conduct penetration testing focused on stored XSS vectors in the chat environment to identify and remediate any additional weaknesses.