Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Valid
Reported on
Dec 16th 2021
Description
I found one more CSRF at Clean cache in the System tab of System configuration via GET request.
Proof of Concept
<a href="https://demo.livehelperchat.com/site_admin/system/expirecache">CLICK ME!</a>
Impact
This vulnerability is capable of tricking admin to clear the cache of the system, that can potential lead to a DoS attack.
Remediation
Use POST request combined with a CSRF token instead of using GET request.
Occurrences
We are processing your report and will contact the
livehelperchat
team within 24 hours.
a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
expirecache.tpl.php#L1-L3
has been validated
to join this conversation