Improper Privilege Management in chatwoot/chatwoot

Valid

Reported on

May 6th 2021


✍️ Description

Privilege escalation bug to add slack integration by a agent

🕵️‍♂️ Proof of Concept

  1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . Now here user B cant add slack integration
  2. Finally from user B account goto https://slack.com/oauth/v2/authorize?scope=commands,chat:write,channels:read,channels:manage,channels:join,groups:write,im:write,mpim:write,users:read,users:read.email,chat:write.customize,channels:history,groups:history,mpim:history,im:history&client_id=107017810452.1186911331618&redirect_uri=https://app.chatwoot.com/app/accounts/4534/settings/integrations/slack and here user B agent can add slack integration

💥 Impact

privilege escalation

Sojan Jose
a year ago

fix for this is already under work : https://github.com/chatwoot/chatwoot/pull/2224/files

Jamie Slome
a year ago

Admin


Do we have a patch commit SHA for this, or still awaiting merge into the main branch?

Sojan Jose
a year ago

@jamie Slome. It's still awaiting merge into the main branch.

Jamie Slome
a year ago

Admin


Great, thanks for the info!

Sojan Jose confirmed that a fix has been merged on 534acf a year ago
The fix bounty has been dropped
to join this conversation