Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot

Valid

Reported on

Jul 5th 2021


✍️ Description

XSS via file upload in profile settings

🕵️‍♂️ Proof of Concept

open chatwoot ,login to your profile , go to profile settings upload SVG file with XSS payload and update profile

open the avatar in new page, XSS will be triggered

💥 Impact

custom javascript code is executed

We have contacted a member of the chatwoot team and are waiting to hear back a year ago
Ajmal Aboobacker modified the report
a year ago
Pranav Raj S
a year ago

Maintainer


Hey Ajmal, Thanks for reporting this. Would you be able to share a sample SVG? I tried doing it with a couple of them, those didn't work.

Ajmal
a year ago

Researcher


https://drive.google.com/drive/folders/1Aylj448fnVZGmCocaQ0yZuH7ozvYFsTj?usp=sharing

Sojan Jose validated this vulnerability a year ago
Ajmal Aboobacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome
a year ago

Admin


@sojan-official - if possible, could you confirm the patch commit SHA that fixes this?

We can then go ahead and publish the CVE!

Ajmal
4 months ago

Researcher


hi @jamie the issue is already fixed can you make the report public

Jamie Slome
4 months ago

Admin


Do you know the commit SHA for the fix?

Sojan Jose confirmed that a fix has been merged on 6fdd4a a month ago
The fix bounty has been dropped
to join this conversation