CVE-2024-0640
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Chatwoot allows admin users to inject malicious JavaScript code via dashboard app settings. This code executes when other admin users access the affected dashboard, potentially compromising admin sessions. Only Chatwoot instances running versions 3.0.0 through 3.5.1 with admin users are affected.
💻 Affected Systems
- chatwoot/chatwoot
📦 What is this software?
Chatwoot by Chatwoot
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access could steal other admin users' session tokens, perform unauthorized actions as those users, or deploy additional malware within the Chatwoot environment.
Likely Case
Malicious admin could perform session hijacking against other admins, leading to unauthorized configuration changes or data access within the Chatwoot platform.
If Mitigated
With proper admin user vetting and monitoring, impact is limited to potential configuration changes by a rogue admin, but no privilege escalation beyond existing admin rights.
🎯 Exploit Status
Exploitation requires admin credentials. The vulnerability is in the dashboard app settings interface where JavaScript injection is possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.2
Vendor Advisory: https://github.com/chatwoot/chatwoot/commit/e39c14460b860d5e3d23d989dd6af48404ad1bb4
Restart Required: Yes
Instructions:
1. Backup your Chatwoot database and configuration. 2. Update to version 3.5.2 or later using your deployment method (Docker, manual, etc.). 3. Restart the Chatwoot service. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Admin Access
allTemporarily limit admin user accounts to only essential personnel and implement strict monitoring of admin activities.
Content Security Policy
allImplement strict Content Security Policy headers to mitigate XSS impact by restricting script execution sources.
🧯 If You Can't Patch
- Implement strict input validation and output encoding for dashboard app settings fields
- Enable audit logging for all admin actions and regularly review for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check your Chatwoot version. If it's between 3.0.0 and 3.5.1 inclusive, you are vulnerable.Check Version:
For Docker: docker exec chatwoot bundle exec rails -v | grep chatwoot; For manual: cat /opt/chatwoot/.versionVerify Fix Applied:
After updating, verify the version is 3.5.2 or higher and test that JavaScript injection in dashboard app settings is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual admin user activity patterns
- JavaScript code in dashboard app settings modifications
- Multiple admin session creations from single user
Network Indicators:
- Unexpected external script loads from Chatwoot dashboard pages
- Suspicious outbound connections following admin dashboard access
SIEM Query:
source="chatwoot" AND (event="settings_update" AND data CONTAINS "<script") OR (event="admin_login" FROM same_ip WITHIN 5m)