Chatwoot Stored Cross-Site Scripting Vulnerability in Dashboard Apps

A stored cross-site scripting vulnerability has been identified in Chatwoot versions 3.0.0 prior to 3.5.1. This issue allows an admin user to inject malicious JavaScript into the dashboard app settings, which is then executed by another admin user when they access the dashboard app. The vulnerability is rooted in inadequate URL validation for dashboard apps, enabling the injection of JavaScript payloads that can be executed in the context of the user viewing the app.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the dashboard app. This could lead to the unauthorized disclosure of sensitive information, such as access tokens and user identifiers, by exploiting the cross-site scripting flaw to intercept and transmit this data to an external location.

Reproduction

To reproduce this vulnerability, an admin user (User A) must create another admin user (User B) and then have User B inject a malicious JavaScript payload into a dashboard app by bypassing the application's URL validation. Once the payload is injected, User A can access the dashboard app, triggering the execution of the injected script, which can be captured and used to steal sensitive information from User A's session.

Remediation

Users can update to Chatwoot version 3.5.2 or later, where this vulnerability has been fixed.