Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in LiveHelperChat before 3.93v allows injection of arbitrary JavaScript via personal theme settings, impacting all users viewing the crafted theme.
Vulnerability
Stored Cross-Site Scripting (XSS) exists in LiveHelperChat versions prior to 3.93v [2]. The vulnerability resides in the personal theme functionality, where user-supplied content for static resources is included in AngularJS templates without proper sanitization, allowing injection of arbitrary JavaScript [3][4].
Exploitation
An attacker who can configure a personal theme (e.g., an authenticated administrator) can insert malicious AngularJS expressions into the static content fields (e.g., static_content, static_js_content). Any user who visits a page using the crafted theme will execute the injected script in their browser. No additional privileges or user interaction beyond viewing the page is required [3][4].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any user viewing the malicious theme. This can lead to session hijacking, data theft, defacement, or other actions on behalf of the victim. The attack is stored and affects all users of the manipulated theme.
Mitigation
The issue is fixed in LiveHelperChat version 3.93v [2][3]. Users should upgrade to this version or later. No workarounds have been published. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
remdex/livehelperchatPackagist | < 3.93 | 3.93 |
Affected products
2- livehelperchat/livehelperchat/livehelperchatv5Range: unspecified
Patches
19f5bc33c9433CSRF For personal theme
4 files changed · +31 −3
lhc_web/design/defaulttheme/js/admintheme.form.angular.js+12 −0 modified@@ -91,5 +91,17 @@ lhcAppControllers.controller('IClickToCallFormGenerator',['$scope','$http','$loc }); delete that.staticCSSResources[field.hash]; }; + + this.initVariables = function () { + if (window.PersonalTheme.staticResources) { + this.staticResources = window.PersonalTheme.staticResources; + } + if (window.PersonalTheme.staticJSResources) { + this.staticJSResources = window.PersonalTheme.staticJSResources; + } + if (window.PersonalTheme.staticCSSResources) { + this.staticCSSResources = window.PersonalTheme.staticCSSResources; + } + } }]); \ No newline at end of file
lhc_web/design/defaulttheme/tpl/lhkernel/validation_error.tpl.php+1 −1 modified@@ -1,5 +1,5 @@ <?php if (isset($errors)) : ?> -<div data-alert class="alert alert-danger alert-dismissible fade show"> +<div data-alert class="alert alert-danger alert-dismissible fade show" ng-non-bindable> <?php if (!isset($hideErrorButton)) : ?> <button type="button" class="close" data-dismiss="alert" aria-label="Close"> <span aria-hidden="true">×</span>
lhc_web/design/defaulttheme/tpl/lhtheme/admin/form.tpl.php+17 −1 modified@@ -4,7 +4,23 @@ <?php include(erLhcoreClassDesign::designtpl('lhkernel/csfr_token.tpl.php'));?> -<div role="tabpanel" ng-controller="IClickToCallFormGenerator as cform" ng-init='<?php if ($form->static_content != '') : ?>cform.staticResources = <?php echo $form->static_content?>;<?php endif;?><?php if ($form->static_js_content != '') : ?>cform.staticJSResources = <?php echo $form->static_js_content?>;<?php endif;?><?php if ($form->static_css_content != '') : ?>cform.staticCSSResources = <?php echo $form->static_css_content?>;<?php endif;?>'> +<script> + window.PersonalTheme = {}; + + <?php if ($form->static_content != '') : ?> + window.PersonalTheme.staticResources = <?php echo $form->static_content;?> + <?php endif; ?> + + <?php if ($form->static_js_content != '') : ?> + window.PersonalTheme.staticJSResources = <?php echo $form->static_js_content;?> + <?php endif; ?> + + <?php if ($form->static_css_content != '') : ?> + window.PersonalTheme.staticCSSResources = <?php echo $form->static_css_content;?> + <?php endif; ?> +</script> + +<div role="tabpanel" ng-controller="IClickToCallFormGenerator as cform" ng-init="cform.initVariables();"> <!-- Nav tabs --> <ul class="nav nav-tabs" role="tablist">
lhc_web/design/defaulttheme/tpl/lhtheme/personaltheme.tpl.php+1 −1 modified@@ -5,7 +5,7 @@ <form action="<?php echo erLhcoreClassDesign::baseurl('theme/personaltheme')?>" method="post" autocomplete="off" enctype="multipart/form-data"> <div class="form-group"> - <label><input type="checkbox" name="EnabledPersonal" value="on" <?php if ($enabledPersonal == true) : ?>checked="checked"<?php endif;?> /> Enable personal theme for me</label> + <label><input type="checkbox" name="EnabledPersonal" value="on" <?php if ($enabledPersonal == true) : ?>checked="checked"<?php endif;?> /> <?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('admintheme/form','Enable personal theme for me');?></label> </div> <?php if (isset($updated)) : $msg = erTranslationClassLhTranslation::getInstance()->getTranslation('admintheme/form','Updated'); ?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-8wcc-f2vq-h4gxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0370ghsaADVISORY
- github.com/livehelperchat/livehelperchat/commit/9f5bc33c943349bd765b991db0b7f6b6ef05cfdbghsax_refsource_MISCWEB
- huntr.dev/bounties/fbe4b376-57ce-42cd-a9a9-049c4099b3caghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.