Title

XSS in markdown link-maker

Description

While chatting with a client, both sides may use markdown. However, neither client's nor Chatwoot inner user's input is verified.

Steps to reproduce.

Note: this works in Safari and Firefox, not Chrome.

I will use Telegram bot.

1. 1. Start a conversation as an attacker with Chatwoot staff using created Telegram bot.
2. 2. Send payload [clickMe](javascript:alert(document.cookie)) as a message.
3. 3. As a Chatwoot staff click on the link, trigger an XSS.

Also it is possible to create a malicious link as a staff (e.g. leave it in other's staff conversation in order to trigger an XSS on their side).

1. 1. While intercepting your traffic send a message [clickMe](https://google.com) to pass frontend check.
2. 2. In the outcoming POST request to /api/v1/accounts/2/conversations/1/messages modify the body, so it looked something like this:

{
    "content":"[click](javascript:alert(document.cookie))",
    "private":false,
    "echo_id":"{yourId}",
    "cc_emails":"",
    "bcc_emails":""
}

3. 3. As some other staff click on the link, trigger an XSS.

I'm leaving a video PoC for both cases:

Video PoC

Possible remediation

Verify message content.

Impact

This vulnerability is capable of running an arbitrary JS code.