Improper Use of Validation Framework in livehelperchat/livehelperchat
Jan 16th 2022
Lack of server side validation (An admin can delete his/her account by bypassing client side validation)
1.Login in application as admin.
2.Nagiate to settings and create another user.
3.Now see the list of user, an admin can only delete other user account rather than his/her.
4.Click on delete and intercept the request and change the endpoint value to "1"
for example "https://demo.livehelperchat.com/site_admin/user/delete/2/(csfr)/d2e8bf8a73d93418fd5874d7a512ad6d"
5.And you will see the user account will get deleted.