Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Valid

Reported on

Jan 27th 2022

Description

Livehelperchat is vulnerable to stored cross site scripting.

1 . Login to the demo account

2 . Go to settings --> Live help configuration -->Visual settings for the visitor --> widget theme -->new --> name field

3 . Add payload in name field and click save

4 . Go to setting -->embed code --> questionary embed code --> click page embed code alert will trigger.

payload {{constructor.constructor('alert(1)')()}}

This vulnerability is capable of stolen the user cookie

We are processing your report and will contact the livehelperchat team within 24 hours. a year ago

Remigijus Kiminas validated this vulnerability a year ago

Asura-N has been awarded the disclosure bounty

The fix bounty is now up for grabs

Remigijus Kiminas marked this as fixed in 3.93v with commit d7b854 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation