Improper Use of Validation Framework in livehelperchat/livehelperchat

Valid

Reported on

Jan 16th 2022

Lack of server side validation (An admin can delete his/her account by bypassing client side validation)

1.Login in application as admin.

2.Nagiate to settings and create another user.

3.Now see the list of user, an admin can only delete other user account rather than his/her.

4.Click on delete and intercept the request and change the endpoint value to "1"

for example "https://demo.livehelperchat.com/site_admin/user/delete/2/(csfr)/d2e8bf8a73d93418fd5874d7a512ad6d"

to "https://demo.livehelperchat.com/site_admin/user/delete/1/(csfr)/d2e8bf8a73d93418fd5874d7a512ad6d"

5.And you will see the user account will get deleted.

PS: I deleted the admin account during the testing
We are processing your report and will contact the livehelperchat team within 24 hours. a year ago
Remigijus Kiminas validated this vulnerability a year ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas marked this as fixed with commit 78413a a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
takester
a year ago

Researcher

Won't I get CVE for this?? And also This vulnerability can be escalated to CSRF attack, as the application is not validating csrf tokens.

takester
a year ago

Researcher

If needed, I can report this as seperate issue, should I??

to join this conversation