Chat Security Vulnerabilities
The All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs WordPress plugin before 2.0.4 was vulnerable to reflected XSS on the my-sticky-elements-leads admin...
5.4CVSS
5.1AI Score
0.001EPSS
5.4CVSS
5.1AI Score
0.001EPSS
5.4CVSS
5.1AI Score
0.001EPSS
5.4CVSS
5.1AI Score
0.001EPSS
4.8CVSS
4.7AI Score
0.001EPSS
5.4CVSS
5.1AI Score
0.001EPSS
Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to...
6.6CVSS
6.2AI Score
0.001EPSS
The Crisp Live Chat WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the crisp_plugin_settings_page function found in the ~/crisp.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including...
8.8CVSS
8.6AI Score
0.001EPSS
4.3CVSS
4.5AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
5.3CVSS
5.1AI Score
0.001EPSS
The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site...
6.1CVSS
6AI Score
0.001EPSS
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site...
6.1CVSS
6.2AI Score
0.001EPSS
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site...
5.4CVSS
5.4AI Score
0.001EPSS
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site...
5.4CVSS
5.4AI Score
0.001EPSS
5.3CVSS
5.1AI Score
0.001EPSS
The Smart Floating / Sticky Buttons WordPress plugin before 2.5.5 does not sanitise and escape some parameter before outputting them in attributes and page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is...
4.8CVSS
4.7AI Score
0.001EPSS
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site...
6.1CVSS
6.1AI Score
0.001EPSS
8.8CVSS
8.7AI Score
0.001EPSS
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site...
5.4CVSS
5.3AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message....
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site...
6.1CVSS
6.1AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the...
8CVSS
7.5AI Score
0.001EPSS
The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated...
9.8CVSS
9.6AI Score
0.002EPSS
The On Page SEO + Whatsapp Chat Button Plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including...
6.1CVSS
6AI Score
0.001EPSS
The 2Way VideoCalls and Random Chat - HTML5 Webcam Videochat WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the vws_notice function found in the ~/inc/requirements.php file which allows attackers to inject arbitrary web scripts, in versions up to and including...
6.1CVSS
6AI Score
0.001EPSS
6.1CVSS
5.9AI Score
0.001EPSS
The iFlyChat WordPress plugin before 4.7.0 does not sanitise its APP ID setting before outputting it back in the page, leading to an authenticated Stored Cross-Site Scripting...
4.8CVSS
4.9AI Score
0.001EPSS
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat...
8.8CVSS
8.6AI Score
0.103EPSS
Cross-site request forgery (CSRF) vulnerability in Live Chat - Live support version 3.1.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified...
8.8CVSS
8.8AI Score
0.002EPSS
6.1CVSS
5.9AI Score
0.001EPSS
Live Helper Chat before 3.44v allows stored XSS in chat messages with an operator via...
6.1CVSS
5.9AI Score
0.001EPSS
Enghouse Web Chat 6.2.284.34 allows XSS. When one enters their own domain name in the WebServiceLocation parameter, the response from the POST request is displayed, and any JavaScript returned from the external server is executed in the browser. This is related to...
6.1CVSS
5.3AI Score
0.001EPSS
The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplc_api_permission_check protection...
9.8CVSS
9.5AI Score
0.004EPSS
An issue was discovered in EFS Easy Chat Server 3.1. There is a buffer overflow via a long body2.ghp message...
7.5CVSS
7.7AI Score
0.001EPSS
An XSS issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. The QueueName parameter of a GET request allows for insertion of user-supplied...
6.1CVSS
6AI Score
0.001EPSS
A remote file include (RFI) issue was discovered in Enghouse Web Chat 6.2.284.34. One can replace the localhost attribute with one's own domain name. When the product calls this domain after the POST request is sent, it retrieves an attacker's data and displays it. Also worth mentioning is the...
5.3CVSS
5.6AI Score
0.001EPSS
An issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. A user is allowed to send an archive of their chat log to an email address specified at the beginning of the chat (where the user enters in their name and e-mail address). This POST request can be modified to change the...
6.5CVSS
6.3AI Score
0.001EPSS
An SSRF issue was discovered in Enghouse Web Chat 6.1.300.31. In any POST request, one can replace the port number at WebServiceLocation=http://localhost:8085/UCWebServices/ with a range of ports to determine what is visible on the internal network (as opposed to what general web traffic would see....
9.8CVSS
9.2AI Score
0.007EPSS
Slack-Chat through 1.5.5 leaks a Slack Access Token in source code. An attacker can obtain a lot of information about the victim's Slack (channels, members,...
7.5CVSS
7.3AI Score
0.001EPSS
A vulnerability in the HTTP API of Cisco Enterprise Chat and Email could allow an unauthenticated, remote attacker to download files attached through chat sessions. The vulnerability is due to insufficient authentication mechanisms on the file download function of the API. An attacker could...
6.5CVSS
6.6AI Score
0.004EPSS
Genesys PureEngage Digital (eServices) 8.1.x allows XSS via HtmlChatPanel.jsp or HtmlChatFrameSet.jsp (ActionColor, ClientNickNameColor, Email, email, or email_address...
6.1CVSS
6AI Score
0.001EPSS
HTTP cookie in Micro Focus Service manager, Versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. And Micro Focus Service Manager Chat Server, versions 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. And Micro Focus Service Manager Chat Service 9.41, 9.50, 9.51,...
7.5CVSS
7.5AI Score
0.002EPSS
9.8CVSS
9.3AI Score
0.002EPSS
6.1CVSS
6.2AI Score
0.001EPSS
6.1CVSS
6.4AI Score
0.001EPSS
6.1CVSS
6.4AI Score
0.001EPSS
The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR...
6.1CVSS
6AI Score
0.001EPSS