Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0542: Cross-site Scripting (XSS) - DOM in chatwoot

Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.7.0.

CVE
Open in Source
#xss#vulnerability#google#js#git#java#chrome#firefox

Title

XSS in markdown link-maker

Description

While chatting with a client, both sides may use markdown. However, neither client’s nor Chatwoot inner user’s input is verified.

Steps to reproduce.

Note: this works in Safari and Firefox, not Chrome.

I will use Telegram bot.

  1. 1. Start a conversation as an attacker with Chatwoot staff using created Telegram bot.
  2. 2. Send payload [clickMe](javascript:alert(document.cookie)) as a message.
  3. 3. As a Chatwoot staff click on the link, trigger an XSS.

Also it is possible to create a malicious link as a staff (e.g. leave it in other’s staff conversation in order to trigger an XSS on their side).

  1. 1. While intercepting your traffic send a message clickMe to pass frontend check.

  2. 2. In the outcoming POST request to /api/v1/accounts/2/conversations/1/messages modify the body, so it looked something like this:

    { “content":”[click](javascript:alert(document.cookie))", "private":false, "echo_id":"{yourId}", "cc_emails":"", “bcc_emails":"” }

  1. 3. As some other staff click on the link, trigger an XSS.

I’m leaving a video PoC for both cases:

Video PoC

Possible remediation

Verify message content.

Impact

This vulnerability is capable of running an arbitrary JS code.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE