Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Reported on
Jun 11th 2021
✍️ Description
The faq section of LiveHelperChat can be modified listing some new questions/answers. However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS.
🕵️♂️ Proof of Concept
- Install the livechat
- Go on https://your-host.com/site_admin/faq/view/1 (maybe first you have to create a new FAQ)
- The attacker changes the questions/answer with this content:
{{$on.constructor('alert(document.domain)')()}} - When someone else visits the page aforementioned, a XSS is popped!
💥 Impact
This vulnerability is capable of injecting JS code permanently showed to every user
Yoo Mik! Since I coulnd't find a security policy or even contact email, I've created an issue on the repo asking for a way to contact the maitainers regarding this issue. Good job, and welcome back!
Hey @mik317, they got back to me with an email - so I've just emailed them and am waiting to hear back.
And how do I verify it if I can't see what's written there :D
Hi there! Apologies for the inconvenience, you should be able to access the full details of the report, as well as the action buttons to validate/invalidate.
Just have in mind, similar things needs to be changed a cross an app. So other parts I'll be changing tomorrow.
All related changes has been commited to github. If you notice anything else let me know :)