LiveHelperChat 4.61 – Stored Cross Site Scripting (XSS) via Personal Canned Messages

• Exploit Database
• 12 阅读

• 作者： Manojkumar J
  日期： 2025-07-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/52379/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

  # Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Personal Canned Messages # Date: 09/06/2025 # Exploit Author: Manojkumar J (TheWhiteEvil) # Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ # Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ # Software Link: https://github.com/LiveHelperChat/livehelperchat/ # Version: <=4.61 # Patched Version: 4.61 # Category: Web Application # Tested on: Mac OS Sequoia 15.5, Firefox # CVE : CVE-2025-51400 # Exploit link: https://github.com/Thewhiteevil/CVE-2025-51400   A stored cross-site scripting (XSS) vulnerability in Live Helper Chat version ≤ 4.61 allows attackers to execute arbitrary JavaScript by injecting a crafted payload into the Personal Canned Messages. When an admin or operator user views the message, and tries to send canned messages the stored javascript executes in their browser context.   ## Reproduction Steps:   1. Log in as an operator. 2. Navigate to your Personal Canned Messages. 3. Create new personal canned message, enter the following payload: ``` "><img src="https://www.exploit-db.com/exploits/52379/x" onerror="prompt(1);"> ``` 4. Save the changes. 5. Try to use the personal canned message, the cross site scripting (xss) will execute.