Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot
Dec 25th 2021
Stored XSS in
Relying on frontend URI check without verifying it on the backend allows to inject arbitrary JS code.
Steps to reproduce
- 1. Create a custom attribute, set its type to
- 2. Navigate to any conversation, click on the right sidebar.
- 3. Add a custom attribute, set its value to any valid URI.
- 4. While intercepting traffic save a new value, observe an outcoming request to
- 5. In
POSTrequest's body use something like:
- 6. Click on the link, trigger an XSS.
Note: it works in Safari and Firefox, not Chrome
Proof of Concept
This vulnerability is capable of running arbitrary JS code.
commented a year ago
Sorry, forgot to add my rationale on it: this exploit may be abused by an
Agent to leverage privileges to
We have sent a third and final follow up to the chatwoot team. This report is now considered stale. a year ago
Muhsin Keloth validated this vulnerability a year ago
Scaramouche has been awarded the disclosure bounty
The fix bounty is now up for grabs
Muhsin Keloth marked this as fixed in 2.2.0 with commit 9f37a6 a year ago
This vulnerability will not receive a CVE
to join this conversation