Cross-site Scripting (XSS) - Stored in livehelperchat/fbmessenger

Valid

Reported on

Jun 21st 2021


✍️ Description

The Facebook notifications of livehelperchat fbmessenger extension can be modified listing new notifications. However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS.

🕵️‍♂️ Proof of Concept

Install the livechat

Install fbmessenger extension

Go on https://lhchost.com/site_admin/fbmessenger/notifications The attacker creates/changes the message and name with this payload: {{$on.constructor('alert(document.domain)')()}} When someone else visits the page aforementioned, a XSS is popped!

💥 Impact

This vulnerability is capable of injecting JS code permanently showed to every user

References:

https://github.com/LiveHelperChat/fbmessenger/blob/master/design/fbmessengertheme/tpl/lhfbmessenger/parts/form_notification.tpl.php

https://github.com/LiveHelperChat/fbmessenger/blob/master/design/fbmessengertheme/tpl/lhfbmessenger/notifications.tpl.php

khiemtq-cyber
6 months ago

Researcher


Name input is same vuln https://github.com/LiveHelperChat/fbmessenger/blob/master/design/fbmessengertheme/tpl/lhfbmessenger/parts/form_notification.tpl.php#L3

khiemtq-cyber modified their report
6 months ago
khiemtq-cyber modified their report
6 months ago
khiemtq-cyber modified their report
6 months ago
khiemtq-cyber modified their report
6 months ago
khiemtq-cyber modified their report
6 months ago
khiemtq-cyber modified their report
6 months ago
khiemtq-cyber submitted a
6 months ago
khiemtq-cyber modified their report
6 months ago
Jamie Slome
6 months ago

Admin


@remdex - just notifying you of this report!

Remigijus Kiminas validated this vulnerability 6 months ago
khiemtq-cyber has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas confirmed that a fix has been merged on 7e0df0 6 months ago
The fix bounty has been dropped
khiemtq-cyber
6 months ago

Researcher


Thank you, please check this report https://huntr.dev/bounties/2-LiveHelperChat/livehelperchat/ too