Description

In order to render raw HTML in Vue.js you may use v-html attribute, which opens a door for XSS in case of malicious input. Chatwoot actually uses it in several places, such as https://github.com/chatwoot/chatwoot/blob/develop/app/javascript/dashboard/modules/contact/components/MergeContactSummary.vue

<span
         v-html="
           $t('MERGE_CONTACTS.SUMMARY.DELETE_WARNING', {
             childContactName,
           })
         "
       />

Thus, merging a contact where the childContactName contains malicious payload (let it be "/><img src=x onerror=alert(1)>) leads to an XSS.

Steps to reproduce

1. 1. Either you may set your nickname to a malicious payload as a non-privileged user, or change someone's name as an Agent (to cause XSS on admin's side).
2. 2. As an admin merge a normal user with a one with a payload in nickname.
3. 3. XSS will be triggered.

P.s.: chatwoot uses v-html in several other places, I will take a look at them and modify my report in case.

P.s.s.: can't give you a video PoC for this exact XSS because after update my Chatwoot Heroku instance has broken and I can't add a new customers via Telegram, lol

I receive Wrong response from the webhook: 503 Service Unavailable

Here is a link just in case: https://api.telegram.org/bot5215041570:AAEzj5AkzgttlDgPl1lU_7gF58whxoVaTA8/getWebhookInfo

So if you face some problems with reproducibility, then please, let me know, I will install Chatwoot on my local instance.