Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Valid

Reported on

Jan 17th 2022


Description

Stored XSS is found in Settings>Live help configuration>Incoming Webhooks. When a user creates a new webhook under the NAME field and puts a payload {{constructor.constructor('alert(1)')()}}, the input gets stored, and every time the user visits, the payload gets executed.

Proof of Concept

Inline-style: alt text

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the livehelperchat team within 24 hours. 4 months ago
Remigijus Kiminas validated this vulnerability 4 months ago
shubh123-tri has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas confirmed that a fix has been merged on 407d0b 4 months ago
The fix bounty has been dropped
to join this conversation