Cross site request forgery (csrf)

livehelperchat is vulnerable to Cross-Site Request Forgery CSRF...

CVE-2021-4049

CVE-2021-4049 affects livehelperchat with a Cross-Site Request Forgery (CSRF) vulnerability. Public sources (GHSA/Huntr and OSV entries) describe an attacker who can log out a user by causing the user, while logged in, to visit a malicious site; no product/version fix details are provided in the ...

CVE-2021-4049 Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

livehelperchat is vulnerable to Cross-Site Request Forgery CSRF...

PT-2021-22896 · Unknown · Livehelperchat

Name of the Vulnerable Software and Affected Versions: livehelperchat affected versions not specified Description: The issue is related to Cross-Site Request Forgery CSRF, which allows an attacker to log out a user if the logged-in user visits the attacker's website. This cannot harm the user's...

livehelperchat 跨站请求伪造漏洞

livehelperchat is a chat via a live assistant that provides free live support on a website. A cross-site request forgery vulnerability exists in livehelperchat, which stems from a WEB application that does not adequately validate that a request is coming from a trusted user. An attacker could use...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description Stored XSS via upload Photo avatar with format .svg in Account data. Detail When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before. Proof of Concept PoC.svg va...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' document.forms0.submit; Impact This vulnerability is capable of forging users to unintentional logout. More details One way GET could be abused here i...

Use of a Broken or Risky Cryptographic Algorithm in livehelperchat/livehelperchat

Description livehelperchat uses cryptographically insecure functions microtime, mtrand and even rand to generate sensitive information. Proof of Concept None provided, see the PHP documentation that specifies the cryptographic insecurity of the above functions. Impact This vulnerability is capabl...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

✍️ Description Stored xss via generalsettings 🕵️‍♂️ Proof of Concept 1. gotohttps://demo.livehelperchat.com/siteadmin/chatbox/configuration and update a General settings with xss payload xss"'' and save it . 2. now try to edit this Chatbox settings using url like...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

✍️ Description csrf bug to create a group chatlist 🕵️‍♂️ Proof of Concept There is no csrf token checking during creating a group-chatlist.\ Bellow request is vulnerable to csrf attack document.getElementById"myForm".submit 💥 Impact csrf bug to create a group chatlist...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

✍️ Description stored xss XMP configuration 🕵️‍♂️ Proof of Concept Plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1j1b5XDv2v73539J5MYwxYDe0IPt9yS3f/view?usp=sharing 💥 Impact xss bug allow to execute arbitary javascript code...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

✍️ Description csrf bug to update uploaded-file 🕵️‍♂️ Proof of Concept Bellow request is vulnerable to csrf bug to update uploaded-file. Submit request POST /siteadmin/file/edit/2 HTTP/1.1 Host: demo.livehelperchat.com Cookie: PHPSESSID=b8cdt7e1436rstdhbgq5mjqskq User-Agent: Mozilla/5.0 X11;...

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

✍️ Description csrf bug to make clone of a role 🕵️‍♂️ Proof of Concept i see everywhere csrf token is checking but during cloning of role, it does not check csrf token .\ Belllow url is vulnerable to csrf attack to make a clone of role...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

✍️ Description Stored xss via rolename 🕵️‍♂️ Proof of Concept 1. First goto https://demo.livehelperchat.com/siteadmin/permission/roles and create a role with xss payload xss"'' and save it .\ 2. now try to edit this role using url like...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

✍️ Description Stored Xss on smtp/Sender address 🕵️‍♂️ Proof of Concept Step To Reproduce: 1. Go to system/smtp 2. add the payload: " on "Sender address" or "Default from e-mail address" or "Default from name" all the 3 params are vulnerable to xss 3. save it and you can see that the xss fires poc...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

✍️ Description The questionary section of livehelperchat can be modified listing new question . However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS. 🕵️‍♂️ Proof of Concept Install the livechat Go on...

Cross-site Scripting (XSS) - Stored in livehelperchat/fbmessenger

✍️ Description The Facebook notifications of livehelperchat fbmessenger extension can be modified listing new notifications. However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS. 🕵️‍♂️ Proof of Concept Install the livechat Install fbmessenger extension...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

✍️ Description The faq section of LiveHelperChat can be modified listing some new questions/answers. However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS. 🕵️‍♂️ Proof of Concept 1. Install the livechat 2. Go on https://your-host.com/siteadmin/faq/view/1...