Improper Privilege Management in chatwoot/chatwoot


Reported on

Apr 30th 2021

✍️ Description

Privilege escalation to view all conversation

🕵️‍♂️ Proof of Concept

  1. First goto from admin account and add a user B as agent .
  2. now goto and add a inbox .In this inbox dont add user B as collaborator. Only allow admin himself . So, user B should not see this inbox conversation .
  3. Finally goto user B account and see he has no inbox conversation to his account . Now user B open this url and see all conversation . here in this url change conversation id and see all conversation. If user B want to see conversation 1 then visit url like and see all message in this conversation .


💥 Impact

Privilege escalation to view all conversations

Sojan Jose
2 years ago

Thanks for reporting. I have added a pull request addressing the changes

Sojan Jose
2 years ago

fixed in

Sojan Jose marked this as fixed with commit 534acf 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation