Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Dec 27th 2021
livehelperchat is an open source live chat service. In this service, general users can chat 1:1 with administrators. When administrators send XSS PoC to general users, XSS occurs in general users' chat rooms. Since XSS PoC is saved in the chat room, XSS occurs even if you access the chat room again after leaving. And privileges lower than admin privileges are also possible.
Proof of Concept
1. Open the https://demo.livehelperchat.com/site_admin and Log in as administrator or operators 2. Go to https://demo.livehelperchat.com/ and enther a comment 3. Again go to https://demo.livehelperchat.com/site_admin and Send an xss poc after click the Open chats 4. Going back to the normal user's chat room causes XSS Video : https://www.youtube.com/watch?v=IylZGyJct9c
Through this vulnerability, an attacker is capable to execute malicious scripts.