We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

Cross-site Scripting (XSS) - Generic in chatwoot/chatwoot

Valid

Reported on

Apr 16th 2021

#SUMMURY i contacted the company directly , but they told me submit the bug through huntr

✍️ Description

Stored xss .Agent can make cross site scripting against admin

#VIDEO POC https://drive.google.com/file/d/1vWXiFKbsqVhMUS4kgpz50wSNsFTo9Ny_/view?usp=sharing

🕵️‍♂️ Proof of Concept

STEP TO REPRODUCE

From admin(user A) goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list and add user B as Agent .
Now add user B to a website widget .
Now goto user B account and change full name to xss payload xss"'><img src=x onerror=alert(document.domain)>
Now as a external customer sent a support chat message . User B picked up this message and make a reply .
Now when Admin open this support this and mouseover over the message then xss is executed under admin account .

💥 Impact

agent can make stored xss attack against admin

commented 2 years ago

Researcher

bug present in https://github.com/chatwoot/chatwoot/blob/develop/app/javascript/dashboard/components/widgets/conversation/Message.vue#L180 .

Suggested fix

content: ${this.$t('CONVERSATION.SENT_BY')} ${sender.name} ----> content: ${this.$t('CONVERSATION.SENT_BY')} ${encodeURI(sender.name)}

commented 2 years ago

Admin

👍

commented 2 years ago

Admin

Just adding these links for reference:

Cheers! 🍰

to join this conversation

commented 2 years ago

Researcher

bug present in https://github.com/chatwoot/chatwoot/blob/develop/app/javascript/dashboard/components/widgets/conversation/Message.vue#L180 .

Suggested fix

content: ${this.$t('CONVERSATION.SENT_BY')} ${sender.name} ----> content: ${this.$t('CONVERSATION.SENT_BY')} ${encodeURI(sender.name)}

commented 2 years ago

Admin

👍

commented 2 years ago

Admin

Just adding these links for reference:

Cheers! 🍰

to join this conversation