Cross-site Scripting (XSS) - Stored in livehelperchat/fbmessenger

Valid

Reported on

Jun 21st 2021

✍️ Description

The Facebook notifications of livehelperchat fbmessenger extension can be modified listing new notifications. However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS.

🕵️‍♂️ Proof of Concept

Install the livechat

Install fbmessenger extension

Go on https://lhchost.com/site_admin/fbmessenger/notifications The attacker creates/changes the message and name with this payload: {{$on.constructor('alert(document.domain)')()}} When someone else visits the page aforementioned, a XSS is popped!

💥 Impact

This vulnerability is capable of injecting JS code permanently showed to every user

References:

https://github.com/LiveHelperChat/fbmessenger/blob/master/design/fbmessengertheme/tpl/lhfbmessenger/parts/form_notification.tpl.php

https://github.com/LiveHelperChat/fbmessenger/blob/master/design/fbmessengertheme/tpl/lhfbmessenger/notifications.tpl.php

Occurrences

form_notification.tpl.php L100

kz-cyber

commented 2 years ago

Researcher

Name input is same vuln https://github.com/LiveHelperChat/fbmessenger/blob/master/design/fbmessengertheme/tpl/lhfbmessenger/parts/form_notification.tpl.php#L3

kz-cyber modified the report

2 years ago

kz-cyber modified the report

2 years ago

kz-cyber modified the report

2 years ago

kz-cyber modified the report

2 years ago

kz-cyber modified the report

2 years ago

kz-cyber modified the report

2 years ago

kz-cyber submitted a

patch

2 years ago

kz-cyber modified the report

2 years ago

Jamie Slome

commented 2 years ago

Admin

@remdex - just notifying you of this report!

Remigijus Kiminas validated this vulnerability 2 years ago

kz-cyber has been awarded the disclosure bounty

The fix bounty is now up for grabs

Remigijus Kiminas marked this as fixed with commit 7e0df0 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

kz-cyber

commented 2 years ago

Researcher

Thank you, please check this report https://huntr.dev/bounties/2-LiveHelperChat/livehelperchat/ too

to join this conversation

kz-cyber

commented 2 years ago

Researcher

Name input is same vuln https://github.com/LiveHelperChat/fbmessenger/blob/master/design/fbmessengertheme/tpl/lhfbmessenger/parts/form_notification.tpl.php#L3

kz-cyber modified the report

2 years ago

kz-cyber modified the report

2 years ago

kz-cyber modified the report

2 years ago

kz-cyber modified the report

2 years ago

kz-cyber modified the report

2 years ago

kz-cyber modified the report

2 years ago

kz-cyber submitted a

patch

2 years ago

kz-cyber modified the report

2 years ago

Jamie Slome

commented 2 years ago

Admin

@remdex - just notifying you of this report!

Remigijus Kiminas validated this vulnerability 2 years ago

kz-cyber has been awarded the disclosure bounty

The fix bounty is now up for grabs

Remigijus Kiminas marked this as fixed with commit 7e0df0 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

kz-cyber

commented 2 years ago

Researcher

Thank you, please check this report https://huntr.dev/bounties/2-LiveHelperChat/livehelperchat/ too

to join this conversation