Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
exploits/CVE-2020-26134/
exploits/CVE-2020-26134/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2020-26134

description

Live Helper Chat before 3.44v allows stored XSS in chat messages with an operator via BBCode.


[Vulnerability Type] Cross Site Scripting (XSS)


[Vendor of Product] LiveHelperChat


[Affected Product Code Base] https://github.com/LiveHelperChat/livehelperchat - versions < 3.44


[Affected Component] stored xss in chat messages with operator


vulnerability

livehelperchat allows bbcode usage, but the parser fails to sanitize the message when combined with url, (url parser fail) to insert them into webpage correctly. different bbcodes can be abused

  '/\[list\=(.*?)\](.*?)\[\/list\]/ms',
  '/\[fs(.*?)\](.*?)\[\/fs(.*?)\]/ms',
  '/\[color\=(.*?)\](.*?)\[\/color\]/ms'

example payload

[list="><img src="http://onmouseover=alert(document.domain)//"><ol f="][/list]

CVE-2020-26135

[Vulnerability Type] Cross Site Scripting (XSS)


[Vendor of Product] LiveHelperChat


[Affected Product Code Base] https://github.com/LiveHelperChat/livehelperchat - versions < 3.44


[Affected Component] reflected xss in setsettingajax


example payload

http://HOST/LCH_PATH/index.php/user/setsettingajax/%3Csvg%20onload=alert(1)%3E