Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat


Reported on

Aug 24th 2021

✍️ Description

Stored Xss on smtp/Sender address

🕵️‍♂️ Proof of Concept

Step To Reproduce:

  1. Go to system/smtp
  2. add the payload: "><svg/onload=prompt(document.cookie)> on "Sender address" or "Default from e-mail address" or "Default from name" [all the 3 params are vulnerable to xss]
  3. save it and you can see that the xss fires poc image:

💥 Impact

Stored Xss


We have contacted a member of the livehelperchat team and are waiting to hear back 2 years ago
Remigijus Kiminas validated this vulnerability 2 years ago
D3lT4 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas marked this as fixed with commit b9207e 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation