CVE-2024-27516

Root

Cause

CVE-2024-27516 is a Server-Side Template Injection (SSTI) vulnerability in Live Helper Chat versions before 4.34v. The vulnerability exists in the file lhc_web/modules/lhfaq/faqweight.php, where the search parameter from HTTP GET requests is not properly sanitized. Specifically, while strip_tags is used to remove HTML and PHP tags, it does not prevent AngularJS-style template injection using {{ }} syntax [2][4]. This allows an attacker to inject arbitrary template expressions that are executed on the server.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the affected endpoint. The official proof-of-concept (PoC) demonstrates that appending ?search={{123*123}} to the URL (e.g., /lhc_web/index.php/site_admin/?search={{123*123}}) causes the server to evaluate the injected expression [4]. No authentication is required, making the attack remotely exploitable with low complexity.

Impact

Successful exploitation allows a remote attacker to execute arbitrary code on the server and obtain sensitive information. The SSTI vulnerability can be leveraged to access internal system data, execute server-side commands, or potentially compromise the entire application [2]. The severity is considered high due to the potential for full system compromise.

Mitigation

The vendor addressed the issue in commit a61d231, which introduces additional filtering by removing {{ and }} from the search parameter before rendering [3]. The fix is included in Live Helper Chat version 4.34 and later. Users are advised to upgrade immediately or apply the patch manually. No known workarounds are available, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.