Generation of Error Message Containing Sensitive Information in livehelperchat/livehelperchat
Description
livehelperchat is vulnerable to Generation of Error Message Containing Sensitive Information
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Live Helper Chat discloses whether an email address is registered in the system via differing error messages on the password reset form, enabling email enumeration.
Vulnerability
In livehelperchat versions prior to a fix introduced in commit fbed8728be59040a7218610e72f6eceb5f8bc152, the forgot-password functionality disclosed sensitive information through its error messages. Specifically, when a user submits a password reset request for an email address that does not exist in the system, the application redirects to the forgot password page without displaying a message. In contrast, if the email address exists but the reset process fails, a message stating "E-mail sent..." is shown [2], [3]. This difference in response behavior allows an attacker to determine whether a particular email address is registered, which constitutes a generation of error message containing sensitive information [1].
Exploitation
An attacker requires no authentication and only needs network access to the Live Helper Chat instance. By sending password reset requests for different email addresses and observing the response behavior (redirect vs. message display), the attacker can enumerate valid registered emails. No user interaction or special privileges are needed [2], [3].
Impact
Successful exploitation enables an attacker to build a list of registered email addresses associated with the Live Helper Chat system. This information leakage can be used for targeted phishing attacks or other social engineering campaigns against platform users. The confidentiality of user email addresses is compromised [4].
Mitigation
The vulnerability is fixed in the commit fbed8728be59040a7218610e72f6eceb5f8bc152 [3]. The fix ensures that the same generic message — "If this e-mail exists we have send password remind link. Click the link in the email and You will be able to set a new password." — is displayed regardless of whether the email exists [3]. Users should update to a version that includes this commit or apply the patch directly. No workarounds are mentioned in the available references [2], [4].
- GitHub - LiveHelperChat/livehelperchat: Live Helper Chat - live support for your website. Featuring web and mobile apps, Voice & Video & ScreenShare. Supports Telegram, Twilio (whatsapp), Facebook messenger including building a bot.
- NVD - CVE-2022-0083
- Show same message in all cases · LiveHelperChat/livehelperchat@fbed872
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
remdex/livehelperchatPackagist | < 3.91 | 3.91 |
Affected products
3- osv-coords2 versions
< 3.91.0+ 1 more
- (no CPE)range: < 3.91.0
- (no CPE)range: < 3.91
- livehelperchat/livehelperchat/livehelperchatv5Range: unspecified
Patches
1fbed8728be59Show same message in all cases
2 files changed · +3 −3
lhc_web/design/defaulttheme/tpl/lhuser/forgotpasswordsent.tpl.php+1 −1 modified@@ -1,2 +1,2 @@ <h1><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('user/forgotpasswordsent','Password reminder');?></h1> -<p><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('user/forgotpasswordsent','E-mail sent. Click the link in the email and You will be able to set a new password.')?></p> +<p><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('user/forgotpasswordsent','If this e-mail exists we have send password remind link. Click the link in the email and You will be able to set a new password.')?></p>
lhc_web/modules/lhuser/forgotpassword.php+2 −2 modified@@ -94,9 +94,9 @@ $tpl = erLhcoreClassTemplate::getInstance( 'lhuser/forgotpasswordsent.tpl.php'); } else { - erLhcoreClassModule::redirect('user/forgotpassword'); - exit; + $tpl = erLhcoreClassTemplate::getInstance( 'lhuser/forgotpasswordsent.tpl.php'); } + } else { $tpl->set('errors',$Errors); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-4xww-6h7v-29jgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0083ghsaADVISORY
- github.com/livehelperchat/livehelperchat/commit/fbed8728be59040a7218610e72f6eceb5f8bc152ghsax_refsource_MISCWEB
- huntr.dev/bounties/4c477440-3b03-42eb-a6e2-a31b55090736ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.