Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat


Reported on

Dec 16th 2021


I found one more CSRF at Clean cache in the System tab of System configuration via GET request.

Proof of Concept

<a href="">CLICK ME!</a>


This vulnerability is capable of tricking admin to clear the cache of the system, that can potential lead to a DoS attack.


Use POST request combined with a CSRF token instead of using GET request.

We are processing your report and will contact the livehelperchat team within 24 hours. 2 years ago
Remigijus Kiminas validated this vulnerability 2 years ago
khanhchauminh has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas marked this as fixed in 2.0 with commit 3b5d0a 2 years ago
The fix bounty has been dropped
expirecache.tpl.php#L1-L3 has been validated
to join this conversation