VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 28, 2022· Updated Aug 2, 2024

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

CVE-2022-0395

Description

Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in Live Helper Chat prior to 3.93v allows attackers to inject arbitrary JavaScript in the user box.

Vulnerability

The vulnerability is a stored cross-site scripting (XSS) issue in Live Helper Chat (LHC) prior to version 3.93v. The flaw is located in the lhc_web/design/defaulttheme/tpl/pagelayouts/parts/ template, specifically in the user box that displays the operator's name and surname. The code uses htmlspecialchars() to escape the output, but due to the lack of ng-non-bindable attribute on the anchor element, AngularJS expressions can be evaluated, leading to XSS. This affects all versions before 3.93v [1][2].

Exploitation

An attacker with the ability to modify their own name or surname (e.g., via profile settings) can inject AngularJS expressions or JavaScript code. When the name/surname is rendered in the user box of any page, the injected script executes in the context of the victim's browser visiting the affected page. No additional user interaction beyond viewing the page is required [3][4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user (including administrators) who views a page containing the affected user box. This can lead to session hijacking, stealing cookies, performing actions on behalf of the victim, displaying fake content, or exfiltrating sensitive information. The attacker gains no server-side access but can fully compromise the victim's client-side session [2][4].

Mitigation

The fix was released in version 3.93v. The commit 8fdb4f67ac1a095331aa0fb4630ef9dfe8e75dcb adds the ng-non-bindable attribute to the anchor element, preventing AngularJS from evaluating expressions. Users should upgrade to 3.93v or later immediately. No workaround is available for earlier versions [3][4].

References
  1. GitHub - LiveHelperChat/livehelperchat: Live Helper Chat - live support for your website. Featuring web and mobile apps, Voice & Video & ScreenShare. Supports Telegram, Twilio (whatsapp), Facebook messenger including building a bot.
  2. NVD - CVE-2022-0395
  3. Escape in user box · LiveHelperChat/livehelperchat@8fdb4f6
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
remdex/livehelperchatPackagist
< 3.933.93

Affected products

3

Patches

1
8fdb4f67ac1a

Escape in user box

https://github.com/livehelperchat/livehelperchatRemigijus KiminasJan 27, 2022via ghsa
commit
1 file changed · +1 1
  • lhc_web/design/defaulttheme/tpl/pagelayouts/parts/user_box.tpl.php+1 1 modified
    @@ -12,7 +12,7 @@
 
 ?>
 <li class="nav-item dropleft">
-    <a href="#" class="nav-link dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false"><?php echo htmlspecialchars($UserData->name),' ',htmlspecialchars($UserData->surname)?></a>
+    <a href="#" class="nav-link dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false" ng-non-bindable><?php echo htmlspecialchars($UserData->name),' ',htmlspecialchars($UserData->surname)?></a>
     <div class="dropdown-menu" style="min-width: 25rem;" role="menu">
 
         <div class="row">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.