Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat


Reported on

Jun 21st 2021

✍️ Description

The questionary section of livehelperchat can be modified listing new question . However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS.

🕵️‍♂️ Proof of Concept

Install the livechat

Go on (or any question exists) The attacker changes the question input with this payload: {{$on.constructor('alert(document.domain)')()}} When someone else visits the page aforementioned, a XSS is popped!

💥 Impact

This vulnerability is capable of injecting JS code permanently showed to every user

We have contacted a member of the livehelperchat team and are waiting to hear back a year ago
kz-cyber submitted a
a year ago
Remigijus Kiminas validated this vulnerability a year ago
kz-cyber has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas marked this as fixed with commit ee17ef a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


Thank you very much @remdex

a year ago


Thank you both! @Remigijus, may I kindly ask whether there is a reason that you wished not to claim the fix bounty? Your feedback would be much appreciated, thanks 🙏

a year ago

@zidingz Just I'm a maintainer of the project. So I feel responsible to have all issues fixed free of charge :)

to join this conversation