Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat


Reported on

Dec 2nd 2021


Stored XSS via upload Photo avatar with format .svg in Account data.


When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before.

Proof of Concept


<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">

<svg version="1.1" baseProfile="full" xmlns="">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
      var xss = prompt("Hi user!\nYour session is expired, please enter password to login again!");
      if (xss != null) {
        alert("Your password is: " + xss);

Steps to Reproduce

1.After login, click the name on the top right corner -> go to Account
2.In Account data tab, scroll down to the bottom
3.In the Photo section, click Choose file and choose the PoC.svg then click Update
4.After uploading successfully, copy the link to that image and open it in a new tab.
The XSS will trigger when the attachment is opened in a new tab.


This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the livehelperchat team within 24 hours. 2 years ago
We have contacted a member of the livehelperchat team and are waiting to hear back 2 years ago
Remigijus Kiminas validated this vulnerability 2 years ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago


Have in mind once this will be fixed. It will be fixed across the whole app. No point to report of other parts you can upload that type of SVG :)

2 years ago


Thanks for your clarity! :)

Remigijus Kiminas marked this as fixed in 2.0 with commit 0ce1dd 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation