Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Live Helper Chat is vulnerable to Cross-Site Request Forgery (CSRF) on the cache expiration endpoint, allowing unauthorized cache clearing.
Vulnerability
Live Helper Chat versions prior to commit 3b5d0a8 are vulnerable to Cross-Site Request Forgery (CSRF) on the /system/expirecache endpoint. The endpoint lacked CSRF token validation, allowing an attacker to forge requests that clear the application cache. The affected code path is in design/defaulttheme/tpl/lhsystem/configuration_links and the expirecache view definition [1][2][3].
Exploitation
An attacker must trick an authenticated administrator into visiting a malicious page or clicking a crafted link. The attacker can craft a GET or POST request to the /system/expirecache endpoint without any CSRF token. If the administrator is logged in, the browser automatically includes session cookies, and the request is processed, clearing the cache [3].
Impact
Successful exploitation allows an attacker to clear the application cache, which can cause temporary denial of service or force the system to regenerate cached data. No data loss or privilege escalation occurs, but the action disrupts normal operation [2][3].
Mitigation
The fix was implemented in commit 3b5d0a8 by adding CSRF token validation to the expirecache endpoint. The commit adds a check using $currentUser->validateCSFRToken() and requires a csfr parameter in the URL. Users should update to a version that includes this commit. No workaround is available other than ensuring administrators do not follow untrusted links [3].
- GitHub - LiveHelperChat/livehelperchat: Live Helper Chat - live support for your website. Featuring web and mobile apps, Voice & Video & ScreenShare. Supports Telegram, Twilio (whatsapp), Facebook messenger including building a bot.
- NVD - CVE-2021-4131
- CSFR Token expire cache · LiveHelperChat/livehelperchat@3b5d0a8
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
remdex/livehelperchatPackagist | < 3.91 | 3.91 |
Affected products
3- osv-coords2 versions
< 2.0.0+ 1 more
- (no CPE)range: < 2.0.0
- (no CPE)range: < 3.91
- livehelperchat/livehelperchat/livehelperchatv5Range: unspecified
Patches
13b5d0a8a4359CSFR Token expire cache
3 files changed · +9 −2
lhc_web/design/defaulttheme/tpl/lhsystem/configuration_links/expirecache.tpl.php+1 −1 modified@@ -1,3 +1,3 @@ <?php if ($currentUser->hasAccessTo('lhsystem','expirecache')) : ?> - <li><a href="<?php echo erLhcoreClassDesign::baseurl('system/expirecache')?>"><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Clean cache');?></a></li> + <li><a class="csfr-required" href="<?php echo erLhcoreClassDesign::baseurl('system/expirecache')?>"><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Clean cache');?></a></li> <?php endif; ?> \ No newline at end of file
lhc_web/modules/lhsystem/expirecache.php+6 −0 modified@@ -1,5 +1,11 @@ <?php +$currentUser = erLhcoreClassUser::instance(); + +if (!$currentUser->validateCSFRToken($Params['user_parameters_unordered']['csfr'])) { + die('Invalid CSFR Token'); + exit; +} $CacheManager = erConfigClassLhCacheConfig::getInstance(); $CacheManager->expireCache(true);
lhc_web/modules/lhsystem/module.php+2 −1 modified@@ -36,7 +36,8 @@ $ViewList['expirecache'] = array( 'params' => array(), - 'functions' => array( 'expirecache' ) + 'functions' => array( 'expirecache' ), + 'uparams' => array('csfr') ); $ViewList['smtp'] = array(
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-hx77-5p88-f92rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-4131ghsaADVISORY
- github.com/livehelperchat/livehelperchat/commit/3b5d0a8a43595a7f05f2a81b76623a8d7e5ad19fghsax_refsource_MISCWEB
- huntr.dev/bounties/52dfac87-4fd3-4dfb-83d2-d39916764d43ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.