chatwoot

vulnerability cross site scripting (xss)
severity 7.6
language ruby
registry other

#SUMMURY i contacted the company directly , but they told me submit the bug through huntr

✍️ Description

Stored xss .Agent can make cross site scripting against admin

#VIDEO POC https://drive.google.com/file/d/1vWXiFKbsqVhMUS4kgpz50wSNsFTo9Ny_/view?usp=sharing

🕵️‍♂️ Proof of Concept

STEP TO REPRODUCE

  1. From admin(user A) goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list and add user B as Agent .

  2. Now add user B to a website widget .

  3. Now goto user B account and change full name to xss payload xss"'><img src=x onerror=alert(document.domain)>

  4. Now as a external customer sent a support chat message . User B picked up this message and make a reply .

  5. Now when Admin open this support this and mouseover over the message then xss is executed under admin account .

💥 Impact

agent can make stored xss attack against admin