Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Valid
Reported on
Jan 27th 2022
Description
Stored XSS is found in Settings>Live help configuration>Departments->Departments groups->edit When a user creates a new webhook under the NAME field and puts a payload {{constructor.constructor('alert(1)')()}}, the input gets stored, at user edit groupname , the payload gets executed.
Proof of Concept
https://drive.google.com/file/d/1V2dbaOS_h5HCab-C0KUaXOmaurZABVeE/view?usp=sharing
Impact
Through this vulnerability, an attacker is capable to execute malicious scripts.
References
We are processing your report and will contact the
livehelperchat
team within 24 hours.
a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation