For every bounty won throughout May 2021, huntr will donate half towards Indian COVID relief.
#SUMMURY i contacted the company directly , but they told me submit the bug through huntr
Stored xss .Agent can make cross site scripting against admin
#VIDEO POC https://drive.google.com/file/d/1vWXiFKbsqVhMUS4kgpz50wSNsFTo9Ny_/view?usp=sharing
From admin(user A) goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list and add user B as Agent .
Now add user B to a website widget .
Now goto user B account and change full name to xss payload xss"'><img src=x onerror=alert(document.domain)>
Now as a external customer sent a support chat message . User B picked up this message and make a reply .
Now when Admin open this support this and mouseover over the message then xss is executed under admin account .
agent can make stored xss attack against admin