/

Improper Privilege Management in chatwoot/chatwoot

Valid

Reported on

May 6th 2021

✍️ Description

Privilege escalation bug to add slack integration by a agent

🕵️‍♂️ Proof of Concept

First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . Now here user B cant add slack integration
Finally from user B account goto https://slack.com/oauth/v2/authorize?scope=commands,chat:write,channels:read,channels:manage,channels:join,groups:write,im:write,mpim:write,users:read,users:read.email,chat:write.customize,channels:history,groups:history,mpim:history,im:history&client_id=107017810452.1186911331618&redirect_uri=https://app.chatwoot.com/app/accounts/4534/settings/integrations/slack and here user B agent can add slack integration

💥 Impact

privilege escalation

commented 2 years ago

Maintainer

fix for this is already under work : https://github.com/chatwoot/chatwoot/pull/2224/files

commented 2 years ago

Admin

Do we have a patch commit SHA for this, or still awaiting merge into the main branch?

commented 2 years ago

Maintainer

@jamie Slome. It's still awaiting merge into the main branch.

commented 2 years ago

Admin

Great, thanks for the info!

Sojan Jose marked this as fixed with commit 534acf 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

commented 2 years ago

Maintainer

fix for this is already under work : https://github.com/chatwoot/chatwoot/pull/2224/files

commented 2 years ago

Admin

Do we have a patch commit SHA for this, or still awaiting merge into the main branch?

commented 2 years ago

Maintainer

@jamie Slome. It's still awaiting merge into the main branch.

commented 2 years ago

Admin

Great, thanks for the info!

Sojan Jose marked this as fixed with commit 534acf 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation