Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat


Reported on

Jan 17th 2022


Stored XSS is found in Settings>Live help configuration>Incoming Webhooks. When a user creates a new webhook under the NAME field and puts a payload {{constructor.constructor('alert(1)')()}}, the input gets stored, and every time the user visits, the payload gets executed.

Proof of Concept

Inline-style: alt text


Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the livehelperchat team within 24 hours. 2 years ago
Remigijus Kiminas validated this vulnerability 2 years ago
shubh123-tri has been awarded the disclosure bounty
The fix bounty is now up for grabs
Remigijus Kiminas marked this as fixed with commit 407d0b 2 years ago
The fix bounty has been dropped
to join this conversation