Chatwoot SQL Injection Vulnerability in Conversation and Contact Filter APIs

A SQL injection vulnerability has been identified in Chatwoot versions 2.2.0 prior to 4.11.2. The issue resides in the conversation and contact filter APIs, specifically when filtering by custom attributes of type date or number using the is_greater_than or is_less_than operators. User-supplied values in the values field of the filter payload are directly interpolated into the SQL query without proper parameterization. This vulnerability allows any authenticated user with access to an account to execute arbitrary SQL through time-based blind injection. The affected endpoints are the conversation and contact filter APIs, as well as the custom attribute definitions endpoint, which can be exploited to store malicious attribute keys that facilitate SQL injection.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution via time-based blind injection, with potential access to read data across tenant boundaries, exfiltrate user emails, bcrypt password hashes, and API access tokens, as well as access conversation contents, contact PII, and integration credentials stored in the database.

Remediation

Users are advised to upgrade to Chatwoot version 4.11.2. For those unable to upgrade immediately, access to the vulnerable filter endpoints can be restricted at the reverse-proxy or WAF layer, and all date and number custom attribute definitions can be removed and blocked from future creation. If exploitation is suspected, auditing and rotating credentials such as API access tokens and user passwords is recommended.