CometChat Remote Code Execution and Cross-Site Scripting Vulnerabilities

Summary
CometChat is prone to a cross-site scripting vulnerability and a remote code-execution vulnerability because the application fails to sufficiently sanitize user-supplied data. An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie- based authentication credentials and launch other attacks. An attacker can exploit the remote code-execution issue to execute arbitrary code in the context of the application. Failed attacks may cause denial-of-service conditions.
Solution
Updates are available. Please see the references or vendor advisory for more information.
References