bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/52379.txt
Exploit-DB 599853959f DB: 2025-07-23 
13 changes to exploits/shellcodes/ghdb

Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow

Discourse 3.1.1 - Unauthenticated Chat Message Access

Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE

Simple File List WordPress Plugin 4.2.2 - File Upload to RCE

Joomla JS Jobs plugin 1.4.2 - SQL injection
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Department Assignment Alias Nick Field
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Facebook Integration Page Name Field
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Personal Canned Messages
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Telegram Bot Username
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function

Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS)
2025-07-23 00:16:47 +00:00

32 lines
No EOL
1.2 KiB
Text
Raw Permalink Blame History

# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS)
via Personal Canned Messages
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51400
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51400
A stored cross-site scripting (XSS) vulnerability in Live Helper Chat
version ≤ 4.61 allows attackers to execute arbitrary JavaScript by
injecting a crafted payload into the Personal Canned Messages. When an
admin or operator user views the message, and tries to send canned messages
the stored javascript executes in their browser context.
## Reproduction Steps:
1. Log in as an operator.
2. Navigate to your Personal Canned Messages.
3. Create new personal canned message, enter the following payload:
```
"><img src="x" onerror="prompt(1);">
```
4. Save the changes.
5. Try to use the personal canned message, the cross site scripting (xss)
will execute.
Reference in a new issue View git blame Copy permalink