Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Valid

Reported on

Jun 21st 2021


✍️ Description

The questionary section of livehelperchat can be modified listing new question . However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS.

🕵️‍♂️ Proof of Concept

Install the livechat

Go on https://lhchost.com/index.php/site_admin/questionary/edit/2 (or any question exists) The attacker changes the question input with this payload: {{$on.constructor('alert(document.domain)')()}} When someone else visits the page aforementioned, a XSS is popped!

💥 Impact

This vulnerability is capable of injecting JS code permanently showed to every user

We have contacted a member of the livehelperchat team and are waiting to hear back 6 months ago
khiemtq-cyber submitted a
6 months ago
Remigijus Kiminas validated this vulnerability 6 months ago
khiemtq-cyber has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas confirmed that a fix has been merged on ee17ef 6 months ago
The fix bounty has been dropped
khiemtq-cyber
6 months ago

Researcher


Thank you very much @remdex

Ziding Zhang
6 months ago

Admin


Thank you both! @Remigijus, may I kindly ask whether there is a reason that you wished not to claim the fix bounty? Your feedback would be much appreciated, thanks 🙏

Remigijus
5 months ago

@zidingz Just I'm a maintainer of the project. So I feel responsible to have all issues fixed free of charge :)