Origin Validation Error in chatwoot/chatwoot
Oct 17th 2021
chatwoot failed to validate the original email when a user changing his/her email address in
An attacker may use the mechanism to forge arbitrary email（especially in trusted domain）
Proof of Concept
my original email is：
email@example.com, and I had confirmed it by clicking the according URL
But when i change my email to another address, i.e.
firstname.lastname@example.org, it doesNOT require confirmation!
This vulnerability is capable of
- An attacker may use the mechanism to forge arbitrary email（especially in trusted domain）
- forging to be the staff from your offical sites, such as FOO@chatwoot.com