Improper Privilege Management in chatwoot/chatwoot

Valid
Reported on May 6th 2021

✍️ Description

Privilege escalation bug to add slack integration by a agent

🕵️‍♂️ Proof of Concept

  1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . Now here user B cant add slack integration
  2. Finally from user B account goto https://slack.com/oauth/v2/authorize?scope=commands,chat:write,channels:read,channels:manage,channels:join,groups:write,im:write,mpim:write,users:read,users:read.email,chat:write.customize,channels:history,groups:history,mpim:history,im:history&client_id=107017810452.1186911331618&redirect_uri=https://app.chatwoot.com/app/accounts/4534/settings/integrations/slack and here user B agent can add slack integration

💥 Impact

privilege escalation