Cross-site Scripting (XSS) - Generic in chatwoot/chatwoot

Valid

Reported on

Apr 16th 2021


#SUMMURY i contacted the company directly , but they told me submit the bug through huntr

✍️ Description

Stored xss .Agent can make cross site scripting against admin

#VIDEO POC https://drive.google.com/file/d/1vWXiFKbsqVhMUS4kgpz50wSNsFTo9Ny_/view?usp=sharing

🕵️‍♂️ Proof of Concept

STEP TO REPRODUCE

  1. From admin(user A) goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list and add user B as Agent .

  2. Now add user B to a website widget .

  3. Now goto user B account and change full name to xss payload xss"'><img src=x onerror=alert(document.domain)>

  4. Now as a external customer sent a support chat message . User B picked up this message and make a reply .

  5. Now when Admin open this support this and mouseover over the message then xss is executed under admin account .

💥 Impact

agent can make stored xss attack against admin

ranjit-git
a year ago

Researcher


bug present in https://github.com/chatwoot/chatwoot/blob/develop/app/javascript/dashboard/components/widgets/conversation/Message.vue#L180 .

Suggested fix

content: ${this.$t('CONVERSATION.SENT_BY')} ${sender.name} ----> content: ${this.$t('CONVERSATION.SENT_BY')} ${encodeURI(sender.name)}

Jamie Slome
a year ago

Admin


👍

Jamie Slome
a year ago

Admin


Just adding these links for reference:

GitHub Issue

Patch PR

Cheers! 🍰

to join this conversation