来源

关联漏洞

描述

LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) via Facebook Integration Page Name Field

介绍

# Exploit Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) via Facebook Integration Page Name Field
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51398
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51398
# Reference: https://livehelperchat.com/4.61v-security-fixes-724a.html
https://github.com/LiveHelperChat/livehelperchat/pull/2228/commits/2056503ad96e04467ec9af8d827109b9b9b46223

A stored cross-site scripting (XSS) vulnerability in Live Helper Chat version ≤ 4.61 allows attackers to execute arbitrary JavaScript by injecting a crafted payload into the Facebook page integration Name Field. The payload is stored and executed when higher-privileged users (e.g., administrators) access or edit the integration settings, resulting in stored Cross Site Scripting (XSS).

## Reproduction Steps:

1. Log in as an operator.
2. Navigate to your Facebook page integration.
3. Create new Facebook page integration, enter the following payload in the Facebook page integration Name Field:
4. 
   ``` "><img src="x" onerror="prompt(1);"> ```
   
5. Save the changes.
6. The payload is stored and executed when higher-privileged users (e.g., operator or administrators) access or edit the Facebook page integration, resulting in stored Cross Site Scripting (XSS).

<img width="1361" height="713" alt="image" src="https://github.com/user-attachments/assets/fad9ee20-572c-45db-860d-daf0b9b45ffd" />

文件快照

 [4.0K]  /data/pocs/f6276b2effb200bc1b5f3e13980684538384b2ea
└── [1.7K]  README.md

0 directories, 1 file

备注