Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Valid

Reported on

Jan 17th 2022

Description

Stored XSS is found in Settings>Live help configuration>Incoming Webhooks. When a user creates a new webhook under the NAME field and puts a payload {{constructor.constructor('alert(1)')()}}, the input gets stored, and every time the user visits, the payload gets executed.

Proof of Concept

Inline-style: alt text

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the livehelperchat team within 24 hours. a year ago

Remigijus Kiminas validated this vulnerability a year ago

shubh123-tri has been awarded the disclosure bounty

The fix bounty is now up for grabs

Remigijus Kiminas marked this as fixed with commit 407d0b a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation