Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Valid

Reported on

Jan 27th 2022


Description

Livehelperchat is vulnerable to stored cross site scripting.

Proof of Concept

1 . Login to the demo account

2 . Go to settings --> Live help configuration -->Visual settings for the visitor --> widget theme -->new --> name field

3 . Add payload in name field and click save

4 . Go to setting -->embed code --> questionary embed code --> click page embed code alert will trigger.

payload {{constructor.constructor('alert(1)')()}}

Impact

This vulnerability is capable of stolen the user cookie

We are processing your report and will contact the livehelperchat team within 24 hours. 4 months ago
Remigijus Kiminas validated this vulnerability 4 months ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas confirmed that a fix has been merged on d7b854 4 months ago
The fix bounty has been dropped
to join this conversation