Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LiveHelperChat is vulnerable to stored cross-site scripting via AngularJS template injection, allowing attackers to execute arbitrary JavaScript in the admin panel.
Vulnerability
LiveHelperChat [1] is an open-source live support chat application. A stored cross-site scripting (XSS) vulnerability exists due to improper neutralization of user input [2]. User-controlled data such as chat names and search terms were rendered without sanitization, allowing AngularJS expression injection. The vulnerability affects versions prior to the commit 407d0b1 [3] (January 17, 2022). The issue is present in templates like lhchat/lists/search_panel_append_print_multiinclude.tpl.php and others where ng-non-bindable was added as a fix.
Exploitation
An attacker can inject AngularJS expressions (e.g., {{constructor.constructor('alert(1)')()}}) into fields that are later displayed in the admin panel, such as chat names or search names. No authentication is required to inject the payload if the attacker can send a chat message or modify data that appears in the admin interface. When an administrator views the affected page, the expression is evaluated by AngularJS, leading to arbitrary JavaScript execution [4].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the admin panel. This can lead to session hijacking, theft of sensitive data, or full compromise of the LiveHelperChat instance. The impact is high as it targets administrators with elevated privileges.
Mitigation
The vulnerability was fixed in commit 407d0b1 [3] by adding the ng-non-bindable attribute to prevent AngularJS from evaluating expressions in user-controlled fields. Users should update to the latest version of LiveHelperChat that includes this commit. If immediate update is not possible, manually applying the patch to affected template files is recommended. No other workarounds are documented. The CVE is not listed in CISA KEV.
- GitHub - LiveHelperChat/livehelperchat: Live Helper Chat - live support for your website. Featuring web and mobile apps, Voice & Video & ScreenShare. Supports Telegram, Twilio (whatsapp), Facebook messenger including building a bot.
- NVD - CVE-2022-0253
- Do not execute angular title · LiveHelperChat/livehelperchat@407d0b1
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
remdex/livehelperchatPackagist | <= 3.91 | — |
Affected products
2- livehelperchat/livehelperchat/livehelperchatv5Range: unspecified
Patches
1407d0b1a1fa5Do not execute angular title
4 files changed · +4 −4
lhc_web/design/defaulttheme/tpl/lhviews/loadview.tpl.php+1 −1 modified@@ -2,7 +2,7 @@ <?php if (!$list_mode) : ?> <div role="tabpanel" id="tabs" ng-cloak> <ul class="nav nav-pills" role="tablist"> - <li role="presentation" class="nav-item"><a class="nav-link active" href="#chatlist" aria-controls="chatlist" role="tab" data-toggle="tab" title="<?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('chat/onlineusers','Chat list');?>"> + <li role="presentation" class="nav-item"><a class="nav-link active" href="#chatlist" aria-controls="chatlist" ng-non-bindable role="tab" data-toggle="tab" title="<?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('chat/onlineusers','Chat list');?>"> <?php echo htmlspecialchars($search->name)?> </a> </li> </ul>
lhc_web/design/defaulttheme/tpl/lhviews/save_chat_view.tpl.php+1 −1 modified@@ -9,7 +9,7 @@ <?php include(erLhcoreClassDesign::designtpl('lhchat/lists/search_panel_append_print_multiinclude.tpl.php'));?> - <form action="<?php echo htmlspecialchars($action_url)?>/(export)/2?<?php echo $appendPrintExportURL?>" method="post" target="_blank" onsubmit="return lhinst.submitModalForm($(this))"> + <form action="<?php echo htmlspecialchars($action_url)?>/(export)/2?<?php echo $appendPrintExportURL?>" method="post" ng-non-bindable target="_blank" onsubmit="return lhinst.submitModalForm($(this))"> <?php if (isset($errors)) : ?> <?php include(erLhcoreClassDesign::designtpl('lhkernel/validation_error.tpl.php'));?>
lhc_web/design/defaulttheme/tpl/lhwebhooks/editincoming.tpl.php+1 −1 modified@@ -1,4 +1,4 @@ -<h1><?php echo htmlspecialchars($item->name)?></h1> +<h1 ng-non-bindable><?php echo htmlspecialchars($item->name)?></h1> <?php if (isset($errors)) : ?> <?php include(erLhcoreClassDesign::designtpl('lhkernel/validation_error.tpl.php'));?>
lhc_web/design/defaulttheme/tpl/lhwebhooks/edit.tpl.php+1 −1 modified@@ -1,4 +1,4 @@ -<h1><?php echo htmlspecialchars($item->name)?></h1> +<h1 ng-non-bindable><?php echo htmlspecialchars($item->name)?></h1> <?php if (isset($errors)) : ?> <?php include(erLhcoreClassDesign::designtpl('lhkernel/validation_error.tpl.php'));?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-5r9v-8w62-r26jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0253ghsaADVISORY
- github.com/livehelperchat/livehelperchat/commit/407d0b1a1fa56fa6f824a19092774f10f4880437ghsax_refsource_MISCWEB
- huntr.dev/bounties/ac7f7eba-ee0b-4a50-bd89-29fd9b3e8303ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.