扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
# Exploit Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) via Department Assignment Alias Nick Field # Date: 09/06/2025 # Exploit Author: Manojkumar J (TheWhiteEvil) # Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ # Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ # Software Link: https://github.com/LiveHelperChat/livehelperchat/ # Version: <=4.61 # Patched Version: 4.61 # Category: Web Application # Tested on: Mac OS Sequoia 15.5, Firefox # CVE : CVE-2025-51403 # Exploit link: https://github.com/Thewhiteevil/CVE-2025-51403 # Reference: https://github.com/LiveHelperChat/livehelperchat/pull/2228/commits/2056503ad96e04467ec9af8d827109b9b9b46223 A low-privileged user/operator injects a malicious JavaScript payload into the Department Assignment "Alias Nick" field while assigning or editing department access. When a higher-privileged user (e.g., admin or operator) edits the department assignment "Alias Nick" field, the stored script is executed in their browser context. ## Reproduction Steps: 1. Log in as an operator. 2. Navigate to your Department Assignment settings page. 3. In the "Alias Nick" field, enter the following payload: ``` "><img src="https://www.exploit-db.com/exploits/52381/x" onerror="prompt(1);"> ``` 4. Save the changes. 5. Revist the Department Assignment settings page and edit the Alias Nick field, the cross site scripting (xss) will execute. |
体验盒子
