Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot

Valid

Reported on

Jul 5th 2021

✍️ Description

XSS via file upload in profile settings

🕵️‍♂️ Proof of Concept

open chatwoot ,login to your profile , go to profile settings upload SVG file with XSS payload and update profile

open the avatar in new page, XSS will be triggered

💥 Impact

custom javascript code is executed

We have contacted a member of the chatwoot team and are waiting to hear back 2 years ago

Ajmal Aboobacker modified the report

2 years ago

Pranav Raj S

commented 2 years ago

Maintainer

Hey Ajmal, Thanks for reporting this. Would you be able to share a sample SVG? I tried doing it with a couple of them, those didn't work.

Ajmal Aboobacker Ajmal

commented 2 years ago

Researcher

https://drive.google.com/drive/folders/1Aylj448fnVZGmCocaQ0yZuH7ozvYFsTj?usp=sharing

Sojan Jose validated this vulnerability 2 years ago

Ajmal Aboobacker has been awarded the disclosure bounty

The fix bounty is now up for grabs

Jamie Slome

commented 2 years ago

Admin

@sojan-official - if possible, could you confirm the patch commit SHA that fixes this?

We can then go ahead and publish the CVE!

Ajmal Aboobacker Ajmal

commented a year ago

Researcher

hi @jamie the issue is already fixed can you make the report public

Jamie Slome

commented a year ago

Admin

Do you know the commit SHA for the fix?

Sojan Jose marked this as fixed in 2.6 with commit 6fdd4a a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the chatwoot team and are waiting to hear back 2 years ago

Ajmal Aboobacker modified the report

2 years ago

Pranav Raj S

commented 2 years ago

Maintainer

Hey Ajmal, Thanks for reporting this. Would you be able to share a sample SVG? I tried doing it with a couple of them, those didn't work.

Ajmal Aboobacker Ajmal

commented 2 years ago

Researcher

https://drive.google.com/drive/folders/1Aylj448fnVZGmCocaQ0yZuH7ozvYFsTj?usp=sharing

Sojan Jose validated this vulnerability 2 years ago

Ajmal Aboobacker has been awarded the disclosure bounty

The fix bounty is now up for grabs

Jamie Slome

commented 2 years ago

Admin

@sojan-official - if possible, could you confirm the patch commit SHA that fixes this?

We can then go ahead and publish the CVE!

Ajmal Aboobacker Ajmal

commented a year ago

Researcher

hi @jamie the issue is already fixed can you make the report public

Jamie Slome

commented a year ago

Admin

Do you know the commit SHA for the fix?

Sojan Jose marked this as fixed in 2.6 with commit 6fdd4a a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation