Session Fixation in chatwoot/chatwoot


Reported on

Jul 5th 2021

✍️ Description

The application is vulnerable to Session Fixation vulnerability even after a user changes its password the old sessions on other devices persist.

🕵️‍♂️ Proof of Concept

  1. open chatwoot and login to your account on multiple browsers
  2. change the password of the account on one of them and reload the other
  3. due to insufficient session expiration, we will not be logged out of the account in the other browser.

💥 Impact

The session will not expire even after changing the password

We have contacted a member of the chatwoot team and are waiting to hear back 2 years ago
2 years ago


actually this feature doesn't work.

Sojan Jose validated this vulnerability 2 years ago
Ajmal Aboobacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sojan Jose
2 years ago

Maintainer will fix the change

Jamie Slome
2 years ago


@sojan-official - would it be possible to confirm the patch commit SHA that fixed this?

We can then go ahead and publish the CVE for you.

Sojan Jose marked this as fixed in 2.4.0 with commit 6fdd4a a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation