Chatwoot Cross-Site Scripting Vulnerability in Admin Interface

A reflected DOM-based Cross-Site Scripting (XSS) vulnerability has been identified in Chatwoot versions through 4.7.0. The issue resides in the Admin Interface component, specifically within the file IframeLoader.vue. The vulnerability is triggered by manipulating the 'link' parameter, which is directly injected into an iframe's 'src' attribute without proper validation. This oversight allows the execution of arbitrary JavaScript or the loading of external pages, potentially leading to phishing attacks or the theft of authentication tokens.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript within a trusted origin, the theft of authentication tokens, and the possibility of phishing or UI redressing attacks within the Chatwoot platform.

Reproduction

To reproduce this vulnerability, send a request to the Chatwoot admin interface with a crafted URL that includes a 'link' parameter. This parameter should contain a JavaScript payload or a URL to an external phishing site. The injected script will execute in the context of the admin interface, exploiting the XSS vulnerability.

Remediation

To address this vulnerability, Chatwoot developers should implement proper sanitization of the 'link' parameter before it is used in the iframe 'src' attribute. This can be done by validating the URL to ensure it is safe and does not contain malicious content.