cbcvebase.

Remdex Livehelperchat vulnerabilities

23 known vulnerabilities affecting remdex/livehelperchat.

Total CVEs
23
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM18LOW1

Vulnerabilities

Page 1 of 2
CVE-2024-27516P3MEDIUM≥ 0, < 4.292024-02-29
CVE-2024-27516 [MEDIUM] livehelperchat Server-Side Template Injection livehelperchat Server-Side Template Injection Server-Side Template Injection (SSTI) vulnerability in livehelperchat before 4.34, allows remote attackers to execute arbitrary code and obtain sensitive information via the search parameter in lhc_web/modules/lhfaq/faqweight.php.
ghsaosv
CVE-2022-1213P3HIGHCVSS 8.1≥ 0, < 3.672022-04-06
CVE-2022-1213 [HIGH] CWE-918 Server side request forgery in LiveHelperChat Server side request forgery in LiveHelperChat SSRF filter bypass port 80, 433 in LiveHelperChat prior to v3.67. An attacker could make the application perform arbitrary requests, bypass CVE-2022-1191
ghsaosv
CVE-2022-1176P3HIGH≥ 0, < 3.962022-04-01
CVE-2022-1176 [HIGH] CWE-843 Type Confusion in LiveHelperChat Type Confusion in LiveHelperChat Live Helper Chat provides live support for your website. Loose comparison causes IDOR on multiple endpoints in LiveHelperChat prior to 3.96. There is a fix released in versions 3.96 and 3.97. Currently, there is no known workaround.
ghsaosv
CVE-2022-1235P3HIGH≥ 0, < 3.962022-04-06
CVE-2022-1235 [HIGH] CWE-916 Weak password hash in LiveHelperChat Weak password hash in LiveHelperChat The secrethash, which the application relies for multiple security measures, can be brute-forced. The hash is quite small, with only 10 characters of only hexadecimal, making 16^10 possilibities ( 1.099.511.627.776 ). The SHA1 of the secret can be obtained via a captcha string and brute-forced offline with an GPU.
ghsaosv
CVE-2021-4131P4HIGH≥ 0, < 3.912022-01-05
CVE-2021-4131 [HIGH] CWE-352 livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
ghsaosv
CVE-2022-0266P4MEDIUM≥ 0, < 3.922022-01-21
CVE-2022-0266 [MEDIUM] CWE-639 Authorization Bypass Through User-Controlled Key in LiveHelperChat Authorization Bypass Through User-Controlled Key in LiveHelperChat Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to 3.92v.
ghsaosv
CVE-2022-0231P4MEDIUM≥ 0, < 3.922022-01-26
CVE-2022-0231 [MEDIUM] CWE-352 Cross-Site Request Forgery (CSRF) in livehelperchat Cross-Site Request Forgery (CSRF) in livehelperchat livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
ghsaosv
CVE-2021-4123P4MEDIUM≥ 0, ≤ 3.902021-12-17
CVE-2021-4123 [MEDIUM] CWE-352 livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF).
ghsaosv
CVE-2022-0370P4MEDIUM≥ 0, < 3.932022-01-28
CVE-2022-0370 [MEDIUM] CWE-79 Cross-site Scripting in livehelperchat Cross-site Scripting in livehelperchat Stored XSS is found in Settings>Live help configuration>Personal Theme>static content. Under the NAME field put a payload {{constructor.constructor('alert(1)')()}} while creating content, and you will see that the input gets stored, and every time the user visits, the payload gets executed.
ghsaosv
CVE-2022-0374P4MEDIUM≥ 0, < 3.932022-01-28
CVE-2022-0374 [MEDIUM] CWE-79 Cross-site Scripting in livehelperchat Cross-site Scripting in livehelperchat Stored XSS attacks exist in new the form creation flow. New forms can be given a title which will render javascript.
ghsaosv
CVE-2022-0395P4MEDIUM≥ 0, < 3.932022-01-29
CVE-2022-0395 [MEDIUM] CWE-79 Cross-site Scripting in LiveHelperChat Cross-site Scripting in LiveHelperChat LiveHelperChat prior to version 3.93 contains a cross-site scripting vulnerability.
ghsaosv
CVE-2022-0387P4MEDIUM≥ 0, < 3.932022-01-28
CVE-2022-0387 [MEDIUM] CWE-79 Cross-site Scripting in livehelperchat Cross-site Scripting in livehelperchat Stored XSS is found in Settings>Live help configuration>Departments->Departments groups->edit When a user creates a new webhook under the NAME field and puts a payload {{constructor.constructor('alert(1)')()}}, the input gets stored, at user edit groupname , the payload gets executed.
ghsaosv
CVE-2022-1530P4MEDIUM≥ 0, < 3.992022-04-30
CVE-2022-1530 [MEDIUM] CWE-79 An attacker can execute malicious javascript in Live Helper Chat An attacker can execute malicious javascript in Live Helper Chat Cross-site Scripting (XSS) in GitHub repository livehelperchat/livehelperchat prior to 3.99v. Attacker can execute malicious javascript on application.
ghsaosv
CVE-2022-0502P4MEDIUM≥ 0, < 3.932022-02-07
CVE-2022-0502 [MEDIUM] CWE-79 Cross-site Scripting in LiveHelperChat Cross-site Scripting in LiveHelperChat LiveHelperChat prior to version 3.93 is vulnerable to cross-site scripting.
ghsaosv
CVE-2022-0612P4MEDIUM≥ 0, < 3.932022-02-17
CVE-2022-0612 [MEDIUM] CWE-79 Cross-site Scripting in livehelperchat Cross-site Scripting in livehelperchat Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
ghsaosv
CVE-2022-0394P4MEDIUM≥ 0, < 3.932022-02-01
CVE-2022-0394 [MEDIUM] CWE-79 Cross-site Scripting in LiveHelperChat Cross-site Scripting in LiveHelperChat LiveHelperChat (remdex/livehelperchat in Packagist) has a stored Cross-site Scripting (XSS) vulnerability prior to version 3.93.
ghsaosv
CVE-2021-4049P4LOW≥ 0, ≤ 2.02021-12-10
CVE-2021-4049 [LOW] CWE-352 Cross-Site Request Forgery in remdex/livehelperchat Cross-Site Request Forgery in remdex/livehelperchat An attacker is able to log out a user if a logged-in user visits the attacker's website. While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.
ghsaosv
CVE-2021-4050P4MEDIUM≥ 0, ≤ 2.02021-12-10
CVE-2021-4050 [MEDIUM] CWE-79 Cross site scripting in remdex/livehelperchat Cross site scripting in remdex/livehelperchat livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ghsaosv
CVE-2022-0253P4MEDIUM≥ 0, ≤ 3.912022-01-21
CVE-2022-0253 [MEDIUM] CWE-79 livehelperchat is vulnerable to Cross-site Scripting livehelperchat is vulnerable to Cross-site Scripting livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ghsaosv
CVE-2021-4132P4MEDIUM≥ 0, < 3.912022-01-05
CVE-2021-4132 [MEDIUM] CWE-79 livehelperchat is vulnerable to Cross-site Scripting livehelperchat is vulnerable to Cross-site Scripting livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ghsaosv
Remdex Livehelperchat vulnerabilities | cvebase