We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Session Fixation in chatwoot/chatwoot

Valid

Reported on

Jul 5th 2021

✍️ Description

The application is vulnerable to Session Fixation vulnerability even after a user changes its password the old sessions on other devices persist.

🕵️‍♂️ Proof of Concept

  1. open chatwoot and login to your account on multiple browsers
  2. change the password of the account on one of them and reload the other
  3. due to insufficient session expiration, we will not be logged out of the account in the other browser.

💥 Impact

The session will not expire even after changing the password

We have contacted a member of the chatwoot team and are waiting to hear back 2 years ago
Ajmal
2 years ago

Researcher

actually this feature doesn't work.

Sojan Jose validated this vulnerability 2 years ago
Ajmal Aboobacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sojan Jose
2 years ago

Maintainer

https://github.com/chatwoot/chatwoot/pull/2893 will fix the change

Jamie Slome
2 years ago

Admin

@sojan-official - would it be possible to confirm the patch commit SHA that fixed this?

We can then go ahead and publish the CVE for you.

Sojan Jose marked this as fixed in 2.4.0 with commit 6fdd4a a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation