Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Live Helper Chat is vulnerable to Cross-Site Request Forgery (CSRF) lacking token validation in its file configuration endpoint.
Vulnerability
Live Helper Chat (all versions prior to the commit that introduced CSRF protection) suffers from a Cross-Site Request Forgery (CSRF) vulnerability [1], [2]. The file configuration functionality located in treedesign/defaulttheme/tpl/lhfile does not validate a CSRF token before processing state-changing requests, as shown in the patch at commit 6ad1349 [3]. Any authenticated user who visits a malicious page while logged into Live Helper Chat can have their session used to modify file configuration settings without their consent.
Exploitation
An attacker crafts a malicious HTML page that submits a POST request to the vulnerable /file/configuration endpoint of the Live Helper Chat instance [2], [3]. The attacker must first identify an authenticated user and entice them to visit the crafted page (e.g., via a link in an email or an embedded image). No other authentication or network position is required beyond tricking the victim; the attacker does not need to know the victim's credentials or have any direct access to the server.
Impact
Successful exploitation allows the attacker to modify the file configuration settings of Live Helper Chat without the victim's consent [2], [3]. This could lead to unauthorized changes that affect file upload handling, allowed file types, or other security-relevant configurations. The impact is limited to the privilege level of the victim user; if the victim is an administrator, the attacker could gain broader control over file-related functionality.
Mitigation
The vulnerability is fixed in commit 6ad1349 (released on an unspecified date) by adding CSRF token generation and validation via the csfr_token template and server-side check [3]. Users should update their Live Helper Chat installation to at least this commit. If immediate patching is not possible, administrators can restrict access to the file configuration page and monitor for unauthorized requests, though no complete workaround is documented in the references.
- GitHub - LiveHelperChat/livehelperchat: Live Helper Chat - live support for your website. Featuring web and mobile apps, Voice & Video & ScreenShare. Supports Telegram, Twilio (whatsapp), Facebook messenger including building a bot.
- NVD - CVE-2022-0231
- CSRF for file configuration URL · LiveHelperChat/livehelperchat@6ad1349
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
remdex/livehelperchatPackagist | < 3.92 | 3.92 |
Affected products
3- osv-coords2 versions
< 3.91.0+ 1 more
- (no CPE)range: < 3.91.0
- (no CPE)range: < 3.92
- livehelperchat/livehelperchat/livehelperchatv5Range: unspecified
Patches
16ad1349dc5e7CSRF for file configuration URL
2 files changed · +8 −0
lhc_web/design/defaulttheme/tpl/lhfile/configuration.tpl.php+2 −0 modified@@ -10,6 +10,8 @@ <form action="" ng-non-bindable method="post"> + <?php include(erLhcoreClassDesign::designtpl('lhkernel/csfr_token.tpl.php'));?> + <div class="row"> <div class="col-6"> <div class="form-group">
lhc_web/modules/lhfile/configuration.php+6 −0 modified@@ -7,6 +7,12 @@ if (isset($_POST['StoreFileConfiguration'])) { + + if (!isset($_POST['csfr_token']) || !$currentUser->validateCSFRToken($_POST['csfr_token'])) { + erLhcoreClassModule::redirect('file/configuration'); + exit; + } + $definition = array( 'AllowedFileTypes' => new ezcInputFormDefinitionElement( ezcInputFormDefinitionElement::OPTIONAL, 'string'
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-8m28-w6xg-35hwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0231ghsaADVISORY
- github.com/livehelperchat/livehelperchat/commit/6ad1349dc5e7503b00c5017499a0a895d7654a61ghsax_refsource_MISCWEB
- huntr.dev/bounties/adaf98cf-60ab-40e0-aa3b-42ba0d3b7cbfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.