Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Valid

Reported on

Jun 21st 2021

โœ๏ธ Description

The questionary section of livehelperchat can be modified listing new question . However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS.

๐Ÿ•ต๏ธโ€โ™‚๏ธ Proof of Concept

Install the livechat

Go on https://lhchost.com/index.php/site_admin/questionary/edit/2 (or any question exists) The attacker changes the question input with this payload: {{$on.constructor('alert(document.domain)')()}} When someone else visits the page aforementioned, a XSS is popped!

๐Ÿ’ฅ Impact

This vulnerability is capable of injecting JS code permanently showed to every user

We have contacted a member of the livehelperchat team and are waiting to hear back 2 years ago
kz-cyber submitted a
patch
2 years ago
Remigijus Kiminas validated this vulnerability 2 years ago
kz-cyber has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas marked this as fixed with commit ee17ef 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
kz-cyber
2 years ago

Researcher

Thank you very much @remdex

Z-Old
2 years ago

Admin

Thank you both! @Remigijus, may I kindly ask whether there is a reason that you wished not to claim the fix bounty? Your feedback would be much appreciated, thanks ๐Ÿ™

Remigijus
2 years ago

@zidingz Just I'm a maintainer of the project. So I feel responsible to have all issues fixed free of charge :)

to join this conversation