Improper Authorization lead a user add an arbitrary agent into Team in chatwoot/chatwoot

Valid

Reported on

Aug 15th 2022


Description

A Vulnerability in edit team function lead an user add another user via ID to Team, alternatively know the email of every user in Chatwoot

#Step to reproduce

  • login to the app -navigate to the Team setting: https://app.chatwoot.com/app/accounts/{id}/settings/teams/list -Create new or edit team -Add agent -> intercept request -modify userid, the response is the email of this user -add succesfullly

Proof of Concept

api: https://app.chatwoot.com/api/v1/accounts/{account.id}/teams/{team_id}/team_members
request body: {"user_ids":[68250]}
method PATCH

Response
[{"id":68250,"account_id":74402,"availability_status":null,"auto_offline":null,"confirmed":false,"email":"amethyst.craft.id@gmail.com","available_name":"Andhra","name":"Andhra","role":null,"thumbnail":""}]




Impact

-add arbitrary users via ID to Team -know every user email in chatwoot

We are processing your report and will contact the chatwoot team within 24 hours. a month ago
We have contacted a member of the chatwoot team and are waiting to hear back a month ago
Sojan Jose validated this vulnerability a month ago
4rth4s has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the chatwoot team. We will try again in 7 days. a month ago
We have sent a second fix follow up to the chatwoot team. We will try again in 10 days. 25 days ago
Tejaswini Chile confirmed that a fix has been merged on 329e8c 18 days ago
Tejaswini Chile has been awarded the fix bounty
to join this conversation