Remdex Livehelperchat vulnerabilities
23 known vulnerabilities affecting remdex/livehelperchat.
Total CVEs
23
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM18LOW1
Vulnerabilities
Page 1 of 2
CVE-2024-27516P3MEDIUM≥ 0, < 4.292024-02-29
CVE-2024-27516 [MEDIUM] livehelperchat Server-Side Template Injection
livehelperchat Server-Side Template Injection
Server-Side Template Injection (SSTI) vulnerability in livehelperchat before 4.34, allows remote attackers to execute arbitrary code and obtain sensitive information via the search parameter in lhc_web/modules/lhfaq/faqweight.php.
ghsaosv
CVE-2022-1213P3HIGHCVSS 8.1≥ 0, < 3.672022-04-06
CVE-2022-1213 [HIGH] CWE-918 Server side request forgery in LiveHelperChat
Server side request forgery in LiveHelperChat
SSRF filter bypass port 80, 433 in LiveHelperChat prior to v3.67. An attacker could make the application perform arbitrary requests, bypass CVE-2022-1191
ghsaosv
CVE-2022-1176P3HIGH≥ 0, < 3.962022-04-01
CVE-2022-1176 [HIGH] CWE-843 Type Confusion in LiveHelperChat
Type Confusion in LiveHelperChat
Live Helper Chat provides live support for your website. Loose comparison causes IDOR on multiple endpoints in LiveHelperChat prior to 3.96. There is a fix released in versions 3.96 and 3.97. Currently, there is no known workaround.
ghsaosv
CVE-2022-1235P3HIGH≥ 0, < 3.962022-04-06
CVE-2022-1235 [HIGH] CWE-916 Weak password hash in LiveHelperChat
Weak password hash in LiveHelperChat
The secrethash, which the application relies for multiple security measures, can be brute-forced. The hash is quite small, with only 10 characters of only hexadecimal, making 16^10 possilibities ( 1.099.511.627.776 ). The SHA1 of the secret can be obtained via a captcha string and brute-forced offline with an GPU.
ghsaosv
CVE-2021-4131P4HIGH≥ 0, < 3.912022-01-05
CVE-2021-4131 [HIGH] CWE-352 livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
ghsaosv
CVE-2022-0266P4MEDIUM≥ 0, < 3.922022-01-21
CVE-2022-0266 [MEDIUM] CWE-639 Authorization Bypass Through User-Controlled Key in LiveHelperChat
Authorization Bypass Through User-Controlled Key in LiveHelperChat
Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to 3.92v.
ghsaosv
CVE-2022-0231P4MEDIUM≥ 0, < 3.922022-01-26
CVE-2022-0231 [MEDIUM] CWE-352 Cross-Site Request Forgery (CSRF) in livehelperchat
Cross-Site Request Forgery (CSRF) in livehelperchat
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
ghsaosv
CVE-2021-4123P4MEDIUM≥ 0, ≤ 3.902021-12-17
CVE-2021-4123 [MEDIUM] CWE-352 livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF).
ghsaosv
CVE-2022-0370P4MEDIUM≥ 0, < 3.932022-01-28
CVE-2022-0370 [MEDIUM] CWE-79 Cross-site Scripting in livehelperchat
Cross-site Scripting in livehelperchat
Stored XSS is found in Settings>Live help configuration>Personal Theme>static content. Under the NAME field put a payload {{constructor.constructor('alert(1)')()}} while creating content, and you will see that the input gets stored, and every time the user visits, the payload gets executed.
ghsaosv
CVE-2022-0374P4MEDIUM≥ 0, < 3.932022-01-28
CVE-2022-0374 [MEDIUM] CWE-79 Cross-site Scripting in livehelperchat
Cross-site Scripting in livehelperchat
Stored XSS attacks exist in new the form creation flow. New forms can be given a title which will render javascript.
ghsaosv
CVE-2022-0395P4MEDIUM≥ 0, < 3.932022-01-29
CVE-2022-0395 [MEDIUM] CWE-79 Cross-site Scripting in LiveHelperChat
Cross-site Scripting in LiveHelperChat
LiveHelperChat prior to version 3.93 contains a cross-site scripting vulnerability.
ghsaosv
CVE-2022-0387P4MEDIUM≥ 0, < 3.932022-01-28
CVE-2022-0387 [MEDIUM] CWE-79 Cross-site Scripting in livehelperchat
Cross-site Scripting in livehelperchat
Stored XSS is found in Settings>Live help configuration>Departments->Departments groups->edit When a user creates a new webhook under the NAME field and puts a payload {{constructor.constructor('alert(1)')()}}, the input gets stored, at user edit groupname , the payload gets executed.
ghsaosv
CVE-2022-1530P4MEDIUM≥ 0, < 3.992022-04-30
CVE-2022-1530 [MEDIUM] CWE-79 An attacker can execute malicious javascript in Live Helper Chat
An attacker can execute malicious javascript in Live Helper Chat
Cross-site Scripting (XSS) in GitHub repository livehelperchat/livehelperchat prior to 3.99v. Attacker can execute malicious javascript on application.
ghsaosv
CVE-2022-0502P4MEDIUM≥ 0, < 3.932022-02-07
CVE-2022-0502 [MEDIUM] CWE-79 Cross-site Scripting in LiveHelperChat
Cross-site Scripting in LiveHelperChat
LiveHelperChat prior to version 3.93 is vulnerable to cross-site scripting.
ghsaosv
CVE-2022-0612P4MEDIUM≥ 0, < 3.932022-02-17
CVE-2022-0612 [MEDIUM] CWE-79 Cross-site Scripting in livehelperchat
Cross-site Scripting in livehelperchat
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
ghsaosv
CVE-2022-0394P4MEDIUM≥ 0, < 3.932022-02-01
CVE-2022-0394 [MEDIUM] CWE-79 Cross-site Scripting in LiveHelperChat
Cross-site Scripting in LiveHelperChat
LiveHelperChat (remdex/livehelperchat in Packagist) has a stored Cross-site Scripting (XSS) vulnerability prior to version 3.93.
ghsaosv
CVE-2021-4049P4LOW≥ 0, ≤ 2.02021-12-10
CVE-2021-4049 [LOW] CWE-352 Cross-Site Request Forgery in remdex/livehelperchat
Cross-Site Request Forgery in remdex/livehelperchat
An attacker is able to log out a user if a logged-in user visits the attacker's website. While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.
ghsaosv
CVE-2021-4050P4MEDIUM≥ 0, ≤ 2.02021-12-10
CVE-2021-4050 [MEDIUM] CWE-79 Cross site scripting in remdex/livehelperchat
Cross site scripting in remdex/livehelperchat
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ghsaosv
CVE-2022-0253P4MEDIUM≥ 0, ≤ 3.912022-01-21
CVE-2022-0253 [MEDIUM] CWE-79 livehelperchat is vulnerable to Cross-site Scripting
livehelperchat is vulnerable to Cross-site Scripting
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ghsaosv
CVE-2021-4132P4MEDIUM≥ 0, < 3.912022-01-05
CVE-2021-4132 [MEDIUM] CWE-79 livehelperchat is vulnerable to Cross-site Scripting
livehelperchat is vulnerable to Cross-site Scripting
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ghsaosv
1 / 2Next →