VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 26, 2022· Updated Aug 2, 2024

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

CVE-2022-0374

Description

Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Live Helper Chat before v3.93v allows attackers to inject arbitrary JavaScript via chat messages.

Vulnerability

Live Helper Chat versions prior to 3.93v contain a stored cross-site scripting (XSS) vulnerability [1][2]. The flaw exists in the message rendering logic, where chat messages are not properly sanitized before being stored and later displayed to operators and other chat participants [3]. The vulnerable code path is triggered whenever a user sends a chat message that contains malicious HTML or JavaScript [4].

Exploitation

An attacker can exploit this vulnerability by sending a crafted chat message containing malicious JavaScript payloads [4]. No special network position or authentication beyond being able to send a message is required. The attacker does not need to be an authenticated operator; a regular chat visitor can inject the payload. The malicious script is then stored in the chat database and executed when the message is rendered in the chat interface for other users [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user who views the affected chat message [4]. This can lead to session hijacking, credential theft, or performing actions on behalf of a victim operator or administrator. The stored XSS has a scope of compromising chat sessions and potentially the entire Live Helper Chat installation [2].

Mitigation

The vulnerability is fixed in version 3.93v [2]. The fix was applied via commit bbfaa26ce54a2a86ce1a42a16496038f5bdfc102 [3]. Users should upgrade to Live Helper Chat v3.93v or later immediately. No workarounds are documented for versions prior to the fix.

References
  1. GitHub - LiveHelperChat/livehelperchat: Live Helper Chat - live support for your website. Featuring web and mobile apps, Voice & Video & ScreenShare. Supports Telegram, Twilio (whatsapp), Facebook messenger including building a bot.
  2. NVD - CVE-2022-0374
  3. fx #1734 · LiveHelperChat/livehelperchat@bbfaa26
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
remdex/livehelperchatPackagist
< 3.933.93

Affected products

3

Patches

1
bbfaa26ce54a

fx #1734

https://github.com/livehelperchat/livehelperchatRemigijus KiminasJan 26, 2022via ghsa
commit
6 files changed · +43 74
  • lhc_web/design/defaulttheme/tpl/lhchat/lists/msg_obj_list_admin.tpl.php+6 43 modified
    @@ -1,45 +1,8 @@
-<?php 
-
-$lastOperatorChanged = false;
-$lastOperatorId = false;
-$lastOperatorNick = '';
-
-foreach ($messages as $msg) : 
-
-if ($lastOperatorId !== false && ($lastOperatorId != $msg->user_id || $lastOperatorNick != $msg->name_support)) {
-    $lastOperatorChanged = true;
-    $lastOperatorNick = $msg->name_support;
-} else {
-    $lastOperatorChanged = false;
+<?php
+$messagesDefault = [];
+foreach ($messages as $msg) {
+    $messagesDefault[] = $msg->getState();
 }
-
-$lastOperatorId = $msg->user_id;
-
-    if ($msg->meta_msg != '') {
-        $metaMessageData = json_decode($msg->meta_msg, true); $messageId = $msg->id;
-    } else if (isset($metaMessageData)) {
-        unset($metaMessageData);
-    }
-
+$messages = $messagesDefault;
 ?>
-<?php if ($msg->user_id == -1) : ?>
-	<div class="message-row system-response" id="msg-<?php echo $msg->id?>"><div class="msg-date"><?php echo date(erLhcoreClassModule::$dateDateHourFormat,$msg->time);?></div><i><span class="usr-tit sys-tit"><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('chat/syncadmin','System assistant')?></span><?php echo erLhcoreClassBBCode::make_clickable(htmlspecialchars($msg->msg))?></i></div>
-<?php else : ?>
-    <?php if ($msg->msg != '' ||
-        isset($metaMessageData['content']['text_conditional']) ||
-        isset($metaMessageData['content']['chat_operation']) ||
-        isset($metaMessageData['content']['html']['content']) ||
-        isset($metaMessageData['content']['button_message'])
-    ) : ?>
-        <div class="message-row<?php echo $msg->user_id == 0 ? ' response' : ' message-admin'.($lastOperatorChanged == true ? ' operator-changes' : '')?>" id="msg-<?php echo $msg->id?>"><div class="msg-date"><?php echo date(erLhcoreClassModule::$dateDateHourFormat,$msg->time);?></div><span class="usr-tit<?php echo $msg->user_id == 0 ? ' vis-tit' : ' op-tit'?>"><?php if ($msg->user_id == 0) : ?><i class="material-icons"><?php echo ($chat->device_type == 0 ? 'computer' : ($chat->device_type == 1 ? 'smartphone' : 'tablet'))?></i><?php endif;?><?php echo $msg->user_id == 0 ? htmlspecialchars($chat->nick) : htmlspecialchars($msg->name_support) ?></span>
-            <?php $msgBody = $msg->msg; $paramsMessageRender = array('sender' => $msg->user_id, 'html_as_text' => true);?>
-            <?php include(erLhcoreClassDesign::designtpl('lhchat/lists/msg_body.tpl.php'));?>
-
-            <?php if (isset($metaMessageData)) : ?>
-                <?php include(erLhcoreClassDesign::designtpl('lhgenericbot/message/meta_render_admin.tpl.php'));?>
-            <?php endif; ?>
-            
-        </div>
-    <?php endif;?>
-<?php endif;?>
-<?php endforeach;?>
\ No newline at end of file
+<?php include(erLhcoreClassDesign::designtpl('lhchat/syncadmin.tpl.php'));?>
\ No newline at end of file
  • lhc_web/design/defaulttheme/tpl/lhchat/lists/msg_obj_list.tpl.php+20 23 modified
    @@ -1,32 +1,29 @@
-<?php 
-
+<?php
 $lastOperatorChanged = false;
 $lastOperatorId = false;
+$lastOperatorNick = '';
 
-foreach ($messages as $msg ) : if ($msg->user_id > -1 || $msg->user_id == -2) : 
+$messagesStats = array(
+    'total_messages' => count($messages),
+    'counter_messages' => 0,
+);
 
-if ($lastOperatorId !== false && $lastOperatorId != $msg->user_id) {
-    $lastOperatorChanged = true;
-} else {
-    $lastOperatorChanged = false;
-}
+foreach ($messages as $msg) :
+    $msg = $msg->getState();
+    $messagesStats['counter_messages']++;
 
-$lastOperatorId = $msg->user_id;
+    if ($lastOperatorId !== false && ($lastOperatorId != $msg['user_id'] || $msg['name_support'] != $lastOperatorNick)) {
+        $lastOperatorChanged = true;
+        $lastOperatorNick = $msg['name_support'];
+    } else {
+        $lastOperatorChanged = false;
+    }
 
-if ($msg->meta_msg != '') {
-    $metaMessageData = json_decode($msg->meta_msg, true); $messageId = $msg->id;
-} else if (isset($metaMessageData)) {
-    unset($metaMessageData);
-}
+    $lastOperatorId = $msg['user_id'];
+    $lastOperatorNick = $msg['name_support'];
 
-?>
-<div class="message-row<?php echo $msg->user_id == 0 ? ' response' : ' message-admin'.($lastOperatorChanged == true ? ' operator-changes' : '')?>" id="msg-<?php echo $msg->id?>"><div class="msg-date"><?php echo date(erLhcoreClassModule::$dateDateHourFormat,$msg->time);?></div><span class="usr-tit<?php echo $msg->user_id == 0 ? ' vis-tit' : ' op-tit'?>"><?php echo $msg->user_id == 0 ? htmlspecialchars($chat->nick) : htmlspecialchars($msg->name_support) ?>:&nbsp;</span>
 
-    <?php $msgBody = $msg->msg; $paramsMessageRender = array('sender' => $msg->user_id);?>
-    <?php include(erLhcoreClassDesign::designtpl('lhchat/lists/msg_body.tpl.php'));?>
+    ?>
+    <?php include(erLhcoreClassDesign::designtpl('lhchat/lists/user_msg_row.tpl.php'));?>
+<?php endforeach; ?>
 
-    <?php if (isset($metaMessageData)) : ?>
-        <?php include(erLhcoreClassDesign::designtpl('lhgenericbot/message/meta_render.tpl.php'));?>
-    <?php endif; ?>
-</div>
-<?php endif; endforeach; ?>
\ No newline at end of file
  • lhc_web/design/defaulttheme/tpl/lhchat/messagelist/plain.tpl.php+13 1 modified
    @@ -1 +1,13 @@
-<?php foreach ($messages as $msg ) : ?><?php if (!isset($remove_meta) || $remove_meta == false ) :?>[<?php echo date(erLhcoreClassModule::$dateDateHourFormat,$msg->time);?>] [<?php echo $msg->user_id == 0 ? htmlspecialchars($chat->nick) : htmlspecialchars($msg->name_support) ?>] <?php endif;?><?php echo erLhcoreClassBBCodePlain::make_clickable($msg->msg, array('sender' => $msg->user_id)),"\n"?><?php endforeach; ?>
\ No newline at end of file
+<?php foreach ($messages as $msg ) :
+
+    if (isset($msg->meta_msg) && $msg->meta_msg != '') {
+        $metaMessageData = json_decode($msg->meta_msg, true); $messageId = isset($triggerMessageId) ? $triggerMessageId : $msg->id;
+    } else if (isset($metaMessageData)) {
+        unset($metaMessageData);
+    }
+
+    if (isset($metaMessageData['content']['whisper']) || empty($msg->msg)) {
+        continue;
+    }
+
+    ?><?php if (!isset($remove_meta) || $remove_meta == false ) :?>[<?php echo date(erLhcoreClassModule::$dateDateHourFormat,$msg->time);?>] [<?php echo $msg->user_id == 0 ? htmlspecialchars($chat->nick) : htmlspecialchars($msg->name_support) ?>] <?php endif;?><?php echo erLhcoreClassBBCodePlain::make_clickable($msg->msg, array('sender' => $msg->user_id)),"\n"?><?php endforeach; ?>
\ No newline at end of file
  • lhc_web/design/defaulttheme/tpl/lhform/collected.tpl.php+2 2 modified
    @@ -1,4 +1,4 @@
-<h1><?php echo htmlspecialchars($form)?></h1>

+<h1 ng-non-bindable><?php echo htmlspecialchars($form)?></h1>

 

 <div class="row pb-2">

 	<div class="col-6"><a href="<?php echo erLhcoreClassDesign::baseurl('form/downloadcollected')?>/<?php echo $form->id?>" class="btn btn-secondary"><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('form/collected','Download XLS');?></a></div>

@@ -12,7 +12,7 @@
 	</div>

 </div>

 

-<table class="table" cellpadding="0" cellspacing="0">

+<table class="table" cellpadding="0" cellspacing="0" ng-non-bindable>

 <thead>

 <tr>

     <th><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('form/collected','Name');?></th>
  • lhc_web/design/defaulttheme/tpl/lhtheme/admincss.tpl.php+1 1 modified
    @@ -182,7 +182,7 @@
 <?php endif; ?>
 
 <?php if (isset($cssAttributes['buble_operator_background']) || isset($cssAttributes['buble_operator_text_color'])) : ?>
-    div.message-admin div.msg-body{
+    div.message-admin:not(.whisper-msg) div.msg-body{
         <?php if (isset($cssAttributes['buble_operator_background'])) : ?>background-color: #<?php echo $cssAttributes['buble_operator_background'];?>;<?php endif; ?>
         <?php if (isset($cssAttributes['buble_operator_text_color'])) : ?>color: #<?php echo $cssAttributes['buble_operator_text_color'];?>;<?php endif; ?>
     }
  • lhc_web/design/defaulttheme/tpl/lhtheme/adminthemeedit.tpl.php+1 4 modified
    @@ -1,8 +1,5 @@
-<div class="row">
+<div class="row" ng-non-bindable>
     <div class="col-10"><h1><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('admintheme/form','Edit theme');?> - <?php echo htmlspecialchars($form->name)?></h1></div>
-    <?php /*?><div class="col-2">
-        <a class="btn btn-secondary" href="?export=1"><i class="material-icons mr-0">file_download</i></a>
-    </div>*/ ?>
 </div>
 
 <form action="<?php echo erLhcoreClassDesign::baseurl('theme/adminthemeedit')?>/<?php echo $form->id?>" method="post" autocomplete="off" enctype="multipart/form-data">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.