Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in LiveHelperChat prior to 3.93v allows attackers to inject malicious scripts via the department group name field.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in LiveHelperChat versions before 3.93v. The department group editing functionality does not sanitize the department group name before rendering it in ` tags, allowing injection of arbitrary HTML and JavaScript. This affects the lhc_web` component. The vulnerability is present in versions prior to 3.93v [1][2].
Exploitation
An attacker must have access to edit department groups (e.g., admin or operator role). They can inject a malicious payload into the name field of a department group. When an administrator or operator views the edited department group page (e.g., /department/editgroup), the injected script executes in their browser. No additional user interaction beyond visiting the page is required [3][4].
Impact
Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, data theft, or defacement. The attacker gains the same privileges as the victim, potentially compromising the entire LiveHelperChat instance [2][4].
Mitigation
The vulnerability is fixed in LiveHelperChat version 3.93v. The fix (commit ff70c7d) adds the ng-non-bindable attribute to the affected ` and ` elements to prevent AngularJS template injection. Users should upgrade to version 3.93v or later. No workarounds are provided [3][4].
- GitHub - LiveHelperChat/livehelperchat: Live Helper Chat - live support for your website. Featuring web and mobile apps, Voice & Video & ScreenShare. Supports Telegram, Twilio (whatsapp), Facebook messenger including building a bot.
- NVD - CVE-2022-0387
- fix · LiveHelperChat/livehelperchat@ff70c7d
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
remdex/livehelperchatPackagist | < 3.93 | 3.93 |
Affected products
2- livehelperchat/livehelperchat/livehelperchatv5Range: unspecified
Patches
1ff70c7dd641bfix
3 files changed · +3 −3
lhc_web/design/defaulttheme/tpl/lhdepartment/editgroup.tpl.php+1 −1 modified@@ -1,4 +1,4 @@ -<h1><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('department/edit','Edit department group');?> - <?php echo htmlspecialchars($departament_group->name)?></h1> +<h1 ng-non-bindable><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('department/edit','Edit department group');?> - <?php echo htmlspecialchars($departament_group->name)?></h1> <?php if (isset($errors)) : ?> <?php include(erLhcoreClassDesign::designtpl('lhkernel/validation_error.tpl.php'));?>
lhc_web/design/defaulttheme/tpl/lhdepartment/editlimitgroup.tpl.php+1 −1 modified@@ -1,4 +1,4 @@ -<h1><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('department/edit','Edit department limit group');?> - <?php echo htmlspecialchars($departament_group->name)?></h1> +<h1 ng-non-bindable><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('department/edit','Edit department limit group');?> - <?php echo htmlspecialchars($departament_group->name)?></h1> <?php if (isset($errors)) : ?> <?php include(erLhcoreClassDesign::designtpl('lhkernel/validation_error.tpl.php'));?>
lhc_web/design/defaulttheme/tpl/lhdepartment/newgroup.tpl.php+1 −1 modified@@ -4,7 +4,7 @@ <?php include(erLhcoreClassDesign::designtpl('lhkernel/validation_error.tpl.php'));?> <?php endif; ?> -<form action="<?php echo erLhcoreClassDesign::baseurl('department/newgroup')?>" method="post"> +<form action="<?php echo erLhcoreClassDesign::baseurl('department/newgroup')?>" method="post" ng-non-bindable> <?php include(erLhcoreClassDesign::designtpl('lhkernel/csfr_token.tpl.php'));?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-w4hp-pcp8-qhf3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0387ghsaADVISORY
- github.com/livehelperchat/livehelperchat/commit/ff70c7dd641b68b9afb170b89ec1ef003a4e3444ghsax_refsource_MISCWEB
- huntr.dev/bounties/2e09035b-8f98-4930-b7e8-7abe5f722b98ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.