Chatwoot Blind SQL Injection Vulnerability in Conversation and Contact Filters

A blind SQL injection vulnerability has been identified in Chatwoot versions prior to 3.16.0. The issue arises in the conversation and contact filters endpoints, which failed to properly sanitize the 'query_operator' input from the frontend or API. This lack of input validation allowed authenticated users to execute arbitrary SQL commands within the filter query by inserting a tautological 'WHERE' clause.

Impact

Exploitation of this vulnerability allowed for blind SQL injection, where an authenticated user could manipulate SQL queries executed by the application, potentially leading to unauthorized data access or modification.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the conversation or contact filters endpoint with an unsanitized 'query_operator' value. The server will process the request and execute the injected SQL, allowing the attacker to manipulate the query's logic and potentially access or modify sensitive data.

Remediation

Users are advised to upgrade to Chatwoot version 3.16.0 or later, where this vulnerability has been patched.