Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Live Helper Chat before 3.93v allows attackers to inject arbitrary JavaScript via unescaped Angular template expressions in embed pages.
Vulnerability
A stored Cross-Site Scripting (XSS) vulnerability exists in the Live Helper Chat application (Packagist remdex/livehelperchat) prior to version 3.93v [1]. The flaw occurs in the embed page generation templates (lhc_web/design/defaulttheme/tpl) where user-supplied values, specifically locale and theme IDs, are inserted into HTML without proper escaping [3]. Because the application uses AngularJS for client-side rendering, these unescaped values can be interpreted as Angular template expressions, allowing an attacker to execute arbitrary JavaScript in the context of the embed page [4].
Exploitation
An attacker with the ability to modify the locale or theme settings in the Live Helper Chat administrative interface can inject a malicious Angular expression (e.g., {{constructor.constructor('alert(1)')()}}) into the LocaleID or ThemeID fields [2][3]. When an operator or visitor loads an embed page that renders these settings, the AngularJS framework evaluates the expression as code, achieving stored XSS. No user interaction beyond visiting the affected page is required [4].
Impact
Successful exploitation allows execution of arbitrary JavaScript in the browser of any user viewing the compromised embed page [4]. An attacker can steal session cookies, exfiltrate sensitive chat data, impersonate operators, or perform actions on behalf of the victim within the Live Helper Chat application. The impact is limited to the scope of the user's session, which may include administrative privileges [2].
Mitigation
The vulnerability is fixed in release 3.93v [1][2]. The fix, introduced in commit d7b85466c217b3750eaccc8703ce54ba8785c4d3, adds the ng-non-bindable attribute to the affected ` and ` elements, preventing AngularJS from evaluating their contents [3]. Users should upgrade to version 3.93v or later. No workaround is available for older versions [4].
- GitHub - LiveHelperChat/livehelperchat: Live Helper Chat - live support for your website. Featuring web and mobile apps, Voice & Video & ScreenShare. Supports Telegram, Twilio (whatsapp), Facebook messenger including building a bot.
- NVD - CVE-2022-0394
- Escape for angular in embed pages · LiveHelperChat/livehelperchat@d7b8546
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
remdex/livehelperchatPackagist | < 3.93 | 3.93 |
Affected products
3- osv-coords2 versions
< 3.93.0+ 1 more
- (no CPE)range: < 3.93.0
- (no CPE)range: < 3.93
- livehelperchat/livehelperchat/livehelperchatv5Range: unspecified
Patches
1d7b85466c217Escape for angular in embed pages
3 files changed · +4 −4
lhc_web/design/defaulttheme/tpl/lhfaq/embedcode.tpl.php+1 −1 modified@@ -1,6 +1,6 @@ <h1><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('system/htmlcode','HTML code');?></h1> -<div class="row"> +<div class="row" ng-non-bindable> <div class="col-md-6"> <div class="form-group"> <label><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('system/htmlcode','Choose a language');?></label> <select id="LocaleID" class="form-control">
lhc_web/design/defaulttheme/tpl/lhfaq/htmlcode.tpl.php+1 −1 modified@@ -24,7 +24,7 @@ </div> </div> -<div class="row"> +<div class="row" ng-non-bindable> <div class="col-md-6"> <div class="form-group"> <label><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('system/htmlcode','Choose a language');?></label> <select id="LocaleID" class="form-control">
lhc_web/design/defaulttheme/tpl/lhquestionary/embedcode.tpl.php+2 −2 modified@@ -3,7 +3,7 @@ <div class="row"> <div class="col-md-6"> <label><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('system/htmlcode','Choose a language');?></label> - <select class="form-control" id="LocaleID"> + <select class="form-control" id="LocaleID" ng-non-bindable> <?php foreach ($locales as $locale ) : ?> <option value="<?php echo $locale?>/"><?php echo $locale?></option> <?php endforeach; ?> @@ -19,7 +19,7 @@ </div> <div class="col-md-6 end"> <label><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('system/htmlcode','Theme')?></label> - <select class="form-control" id="ThemeID"> + <select class="form-control" id="ThemeID" ng-non-bindable> <option value="0"><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('system/htmlcode','Default');?></option> <?php foreach (erLhAbstractModelWidgetTheme::getList(array('limit' => 1000)) as $theme) : ?> <option value="<?php echo $theme->id?>"><?php echo htmlspecialchars($theme->name)?></option>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-vwxp-9qmf-w299ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0394ghsaADVISORY
- github.com/livehelperchat/livehelperchat/commit/d7b85466c217b3750eaccc8703ce54ba8785c4d3ghsax_refsource_MISCWEB
- huntr.dev/bounties/e13823d0-271c-448b-a0c5-8549ea7ea272ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.