Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Valid

Reported on

Jun 11th 2021


✍️ Description

The faq section of LiveHelperChat can be modified listing some new questions/answers. However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS.

🕵️‍♂️ Proof of Concept

  1. Install the livechat
  2. Go on https://your-host.com/site_admin/faq/view/1 (maybe first you have to create a new FAQ)
  3. The attacker changes the questions/answer with this content: {{$on.constructor('alert(document.domain)')()}}
  4. When someone else visits the page aforementioned, a XSS is popped!

💥 Impact

This vulnerability is capable of injecting JS code permanently showed to every user

Z-Old
2 years ago

Admin


Yoo Mik! Since I coulnd't find a security policy or even contact email, I've created an issue on the repo asking for a way to contact the maitainers regarding this issue. Good job, and welcome back!

Z-Old
2 years ago

Admin


Hey @mik317, they got back to me with an email - so I've just emailed them and am waiting to hear back.

Remigijus
2 years ago

Maintainer


And how do I verify it if I can't see what's written there :D

Z-Old
2 years ago

Admin


Hi there! Apologies for the inconvenience, you should be able to access the full details of the report, as well as the action buttons to validate/invalidate.

Remigijus Kiminas validated this vulnerability 2 years ago
Michele Romano has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas marked this as fixed with commit 5328d4 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Michele Romano
2 years ago

Researcher


Thanks <3

Cheers, Mik

Remigijus
2 years ago

Maintainer


Just have in mind, similar things needs to be changed a cross an app. So other parts I'll be changing tomorrow.

Remigijus
2 years ago

Maintainer


All related changes has been commited to github. If you notice anything else let me know :)

to join this conversation