Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Live Helper Chat versions before commit f59ffb0 lack CSRF protection, allowing an attacker to forge requests on behalf of an authenticated admin.
Vulnerability
Live Helper Chat, an open-source live support application, is vulnerable to Cross-Site Request Forgery (CSRF) in versions prior to the commit f59ffb02984c0ce2fbb19ac39365066507de9370. The vulnerability exists because state-changing operations do not require a CSRF token, allowing an attacker to trick an authenticated administrator into performing unintended actions. [2] [3]
Exploitation
To exploit this vulnerability, an attacker must craft a malicious webpage or email that triggers a forged request to a sensitive endpoint in Live Helper Chat. The victim must be logged in as an administrator and visit the attacker's link or page while the session is active. No special network position is required; the attack can be delivered remotely via social engineering. [2] [4]
Impact
Successful exploitation allows the attacker to perform any administrative action on behalf of the victim, such as modifying settings, creating or deleting users, changing permissions, or executing other state-changing operations. This leads to a complete compromise of the application's integrity and availability, potentially exposing sensitive data. [2] [4]
Mitigation
The fix is included in commit f59ffb02984c0ce2fbb19ac39365066507de9370 on the livehelperchat/livehelperchat repository. Administrators should update their installation to the latest version that includes this commit. If upgrading is not immediately possible, consider implementing additional CSRF protections such as custom header validation or same-site cookie attributes, though no official workaround is documented. [2] [3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
remdex/livehelperchatPackagist | < 3.92 | 3.92 |
Affected products
3- osv-coords2 versions
< 2.0.0+ 1 more
- (no CPE)range: < 2.0.0
- (no CPE)range: < 3.92
- livehelperchat/livehelperchat/livehelperchatv5Range: unspecified
Patches
1f59ffb02984cMissing csfr check
1 file changed · +5 −0
lhc_web/modules/lhaudit/configuration.php+5 −0 modified@@ -7,6 +7,11 @@ if ( isset($_POST['StoreOptions']) ) { + if (!isset($_POST['csfr_token']) || !$currentUser->validateCSFRToken($_POST['csfr_token'])) { + erLhcoreClassModule::redirect(); + exit; + } + $definition = array( 'days_log' => new ezcInputFormDefinitionElement(ezcInputFormDefinitionElement::OPTIONAL, 'int'), 'log_js' => new ezcInputFormDefinitionElement(ezcInputFormDefinitionElement::OPTIONAL, 'boolean'),
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-6jmh-9gqm-5xrxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0226ghsaADVISORY
- github.com/livehelperchat/livehelperchat/commit/f59ffb02984c0ce2fbb19ac39365066507de9370ghsax_refsource_MISCWEB
- huntr.dev/bounties/635d0abf-7680-47f6-a277-d9a91471c73fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.