Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat


Reported on

Jan 27th 2022


Livehelperchat is vulnerable to stored cross site scripting.

Proof of Concept

1 . Login to the demo account

2 . Go to settings --> Live help configuration -->Visual settings for the visitor --> widget theme -->new --> name field

3 . Add payload in name field and click save

4 . Go to setting -->embed code --> questionary embed code --> click page embed code alert will trigger.

payload {{constructor.constructor('alert(1)')()}}


This vulnerability is capable of stolen the user cookie

We are processing your report and will contact the livehelperchat team within 24 hours. a year ago
Remigijus Kiminas validated this vulnerability a year ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas marked this as fixed in 3.93v with commit d7b854 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation