Improper Privilege Management in chatwoot/chatwoot

Reported on May 6th 2021

✍️ Description

Privilege escalation bug to add slack integration by a agent

🕵️‍♂️ Proof of Concept

  1. First goto from admin account and add a user B as agent . Now here user B cant add slack integration
  2. Finally from user B account goto,chat:write,channels:read,channels:manage,channels:join,groups:write,im:write,mpim:write,users:read,,chat:write.customize,channels:history,groups:history,mpim:history,im:history&client_id=107017810452.1186911331618&redirect_uri= and here user B agent can add slack integration

💥 Impact

privilege escalation